US20170155640A1 - Single sign-on for managed mobile devices using kerberos - Google Patents
Single sign-on for managed mobile devices using kerberos Download PDFInfo
- Publication number
- US20170155640A1 US20170155640A1 US15/428,467 US201715428467A US2017155640A1 US 20170155640 A1 US20170155640 A1 US 20170155640A1 US 201715428467 A US201715428467 A US 201715428467A US 2017155640 A1 US2017155640 A1 US 2017155640A1
- Authority
- US
- United States
- Prior art keywords
- ticket
- service
- client device
- certificate
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000004044 response Effects 0.000 claims abstract description 47
- 238000000034 method Methods 0.000 claims description 40
- 238000010200 validation analysis Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 30
- 238000004891 communication Methods 0.000 description 29
- 230000006870 function Effects 0.000 description 12
- 235000014510 cooky Nutrition 0.000 description 10
- 230000006855 networking Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 230000011218 segmentation Effects 0.000 description 7
- 238000000926 separation method Methods 0.000 description 7
- 238000012546 transfer Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 239000003795 chemical substances by application Substances 0.000 description 4
- VJYFKVYYMZPMAB-UHFFFAOYSA-N ethoprophos Chemical compound CCCSP(=O)(OCC)SCCC VJYFKVYYMZPMAB-UHFFFAOYSA-N 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 230000018109 developmental process Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 102100021870 ATP synthase subunit O, mitochondrial Human genes 0.000 description 1
- 230000009118 appropriate response Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 108010007425 oligomycin sensitivity conferring protein Proteins 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
Definitions
- Users may have many different accounts for a multitude of applications and services. Examples of applications and services may include social networking services, file sharing services, email services, voice communication services, office productivity services, task tracking services, and still others.
- a user may have to establish a corresponding username and password to authenticate for each account. This becomes a difficult and inconvenient practice where numerous accounts are involved. Accordingly, users may set weak passwords that are short or otherwise easy to remember, share passwords among multiple accounts, use third-party password managers, or engage in other practices that might be regarded as insecure.
- identity federation arose as a solution to this problem.
- identity federation a user establishes an account with a federated identity provider. To this end, the user specifies a single set of security credentials.
- the federated account is then linked to a multiplicity of applications and services that are provided by other organizations.
- the user seeks to access applications and services that are linked to the federated account, the user can simply provide the single username, password, or other credentials of the federated account for authentication.
- an organization such as an enterprise may use a directory service such as ACTIVE DIRECTORY by MICROSOFT CORPORATION in order to provide a single log-in for each of multiple applications and services of the organization.
- the end user experience may still be suboptimal. Even assuming that users are able to employ a single federated account for multiple applications and services, the users may be required to enter the federated account credentials separately. For example, suppose that a user logs in with a social networking application provided by a social networking service provider that is also a federated identity provider. Subsequently, the user may want to use a file sharing application that is linked to the federated identity provider. The user may then have to supply the same username and password that was previously entered for the social networking application. Repetitively entering these security credentials for each application and service may frustrate users.
- FIG. 1 is a drawing illustrating an example scenario of the disclosure.
- FIG. 2 is a drawing of a networked environment according to various examples of the disclosure.
- FIG. 3 is a sequence diagram illustrating an example component interaction according to various examples of the present disclosure.
- FIGS. 4-8 are flowcharts illustrating examples of functionality according to various examples of the present disclosure.
- FIG. 9 is a sequence diagram illustrating an example implementation of an embodiment of the present disclosure using Kerberos.
- the present disclosure relates to providing a single sign-on experience for users of mobile devices.
- a single sign-on experience a user enters or obtains a single set of security credentials for an account and, upon authentication, the user is able to access multiple different applications and services that are linked to that account.
- Multi-factor authentication can also be employed where the user is required to provide a combination of knowledge, possession, or biometric authentication factors.
- the term “single sign-on” can include scenarios in which a user is required to re-enter security credentials due to session timeouts, inactivity periods, suspicious activities, or other events that could cause authentication of the user to be doubted.
- a single sign-on experience can be enabled by way of cookies.
- a cookie In response to a user logging in with a federated identity provider, a cookie can be stored on the user's device that contains a token indicating authentication. When the user later accesses another network site that supports authentication by way of the federated identity provider, the cookie is presented and the token can be exchanged for a site-specific token. Consequently, the user does not have to log in again to access the network site.
- the single sign-on design paradigm from the browser context does not function in the context of mobile applications.
- mobile applications can invoke web views
- cookies that are part of a web view invoked within a mobile application cannot be accessed in other mobile applications or by a browser.
- the cookies and application tokens that indicate successful authentication are not made available to a second mobile application because they can have separate webviews.
- various implementations of the present disclosure facilitate single sign-on within mobile applications and other applications that embody this limitation.
- the requirement to use a particular software development kit (SDK) for each application in order to implement single sign-on can be rendered unnecessary.
- SDK software development kit
- a user launches a management application that can manage applications upon the user's mobile device.
- the management application can be a native mobile application or a web-based management application accessed from a browser.
- the management application renders a user interface configured to receive login information for a device management service.
- the user interface includes a form configured to receive a username and a password. Other security credentials or authentication factors can be elicited in other examples.
- the user selects a log-in entry component.
- the user Upon entering correct log-in information, the user is authenticated, and the user interface can then be updated to indicate to the user that the log-in was successful at 102 . Subsequently, the user can launch or access other managed applications on the mobile device, such as a social networking application at 103 , an email application at 104 , or a file sharing application 105 . These applications can communicate with an external service. Because the user has already been authenticated through the device management application, these applications indicate that the user is already authenticated. Consequently, the user does not have to provide login information for the applications separately, and the user is able to use the services accessed through the respective applications.
- a social networking application at 103 such as a social networking application at 103 , an email application at 104 , or a file sharing application 105 .
- These applications can communicate with an external service. Because the user has already been authenticated through the device management application, these applications indicate that the user is already authenticated. Consequently, the user does not have to provide login information for the applications separately, and
- the networked environment 200 includes a client device 203 , a device management service 204 , an identity provider 206 , a key distribution center (KDC) 207 , a certificate authority 208 , a plurality of service providers 209 a . . . 209 N, and an online certificate status protocol (OSCP) service 210 , which can be in data communication with one another over the network 212 .
- the network 212 includes, for example, the Internet, one or more intranets, extranets, wide area networks (WANs), local area networks (LANs), wired networks, wireless networks, other suitable networks, or any combination of two or more such networks.
- the networks can include satellite networks, cable networks, Ethernet networks, and other types of networks.
- the device management service 204 , the identity provider 206 , the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can include, for example, a server computer or any other system providing computing capabilities.
- the device management service 204 , the identity provider 206 , the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can employ multiple computing devices that can be arranged, for example, in one or more server banks, computer banks, or other arrangements.
- the computing devices can be located in a single installation or can be distributed among many different geographical locations.
- the device management service 204 , the identity provider 206 , the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can include multiple computing devices that together form a hosted computing resource, a grid computing resource, or any other distributed computing arrangement.
- the device management service 204 , the identity provider 206 , the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can operate as at least a portion of an elastic computing resource where the allotted capacity of processing, network, storage, or other computing-related resources can vary over time.
- the device management service 204 , the identity provider 206 the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can also include or be operated as one or more virtualized computer instances.
- the device management service 204 , the identity provider 206 the KDC 207 , the certificate authority 208 , the service providers 209 , and the OCSP service 210 can be operated in accordance with particular security protocols such that they are considered trusted computing environments.
- the device management service 204 can manage or oversee the operation of multiple client devices 203 .
- an enterprise such as one or more companies or other organizations, can operate the device management service 204 to oversee or manage the operation of the client devices 203 of employees, contractors, or other users within an enterprise environment.
- the client devices 203 can include managed devices that are managed by the device management service 204 .
- the device management service 204 can establish a secure communications channel with the client devices 203 (e.g., a mobile device management channel, or MDM channel).
- the device management service 204 can establish the secure communications channel by creating a secure communication link with the client device 203 .
- a secure communication link can be established using MDM application programming interfaces (APIs) that are provided by an operating system executed by the client device 203 .
- the secure communications channel can be established using a push notifications framework or notification service provided by an operating system ecosystem associated with the client device 203 that allows for communications between the device management service 204 and a client device 203 over the network 212 that are encrypted using a digital certificate.
- the client device 203 can be enrolled as a managed device with the device management service 204 through APIs provided by the operating system.
- the enrollment process can include authentication of a user's credentials.
- the client device 203 using the MDM APIs of the operating system, can enroll the client device 203 as a managed device so that various management functions can be securely performed over the secure communications channel.
- management functions can include commands to erase certain data from the client device 203 , commands to install certain applications or application updates, commands to lock a client device 203 or activate a display lock feature, a command to remotely perform a factory reset of the client device 203 , or other management functions. Additionally, data can be securely transmitted through the secure communications channel to the client device 203 or applications executed by the client device 203 .
- the operating system of the client device 203 can also provide the ability to create access-restricted storage that is associated with particular applications installed on the client device 203 .
- Access-restricted storage can be associated with multiple applications that are installed on the client device 203 through the secure communications channel.
- applications that are signed by a common certificate can be provided access to the access-restricted storage of each other, whereas applications that are not signed by the certificate do not have access to the access-restricted storage of other applications.
- the device management service 204 can transmit data to the client device 203 over the secure communications channel that can be stored in the access-restricted storage such that it is accessible by certain applications and inaccessible to other applications that are installed on the client device 203 .
- the secure communications channel can be encrypted or secured using a digital certificate that is associated with the client device 203 , the device management service 204 , or an enterprise with which the client device 203 is associated.
- the device management service 204 can obtain a security certificate, such as a secure sockets layer (SSL) certificate, that is unique to a particular enterprise with which a client device 203 is associated.
- SSL secure sockets layer
- an administrator associated with the enterprise can provide a certificate to the device management service 204 using an administrator console or other functionality with which a certificate can be uploaded.
- the certificate can also be signed by a certificate authority, which can in some cases be operated by the device management service 204 .
- the device management service 204 can encrypt or secure the secure communications channel using the certificate so that the secure communications channel is a secure communication link over the network 212 through which data can be sent to the client device 203 .
- the device management service 204 can specify that data sent through the secure communications channel can only be accessed by certain applications installed on the client device 203 .
- the applications that can access data sent through the secure communications channel can also be restricted in how certain data can be manipulated, viewed or handled on the client device 203 .
- an application installed on the client device 203 can be coded to restrict the ability of a user to capture, share, or otherwise remove data from the client device 203 that is received through the secure communications channel.
- the device management service 204 can also facilitate ensuring that client devices 203 that are administered by the device management service 204 are operating in compliance with various compliance rules.
- the device management service 204 can issue management commands that instruct a client device 203 to take a particular action with respect to a compliance rule. For example, if a client device 203 is designated as lost or stolen, the device management service 204 can issue a command instructing the client device 203 to erase data and applications that were previously sent to the client device 203 through the secure communications channel or other communication links and otherwise stored on the client device 203 .
- the device management service 204 can also obtain data from a third party computing environment, such as an application, a security code, authentication token, or other data.
- the device management service 204 can issue a command instructing the client device 203 to erase data and applications stored on the client device 203 .
- the device management service 204 can also issue a command instructing the client device 203 to activate a display lock of the client device 203 that requires a user to enter a personal identification number (PIN) in order to use the client device 203 .
- PIN personal identification number
- the data stored in the management data store 213 and available to the device management service 204 includes, for example, authentication data, compliance rules, device data, and potentially other data.
- the authentication data can include data used to verify one or more security credentials presented by a user for authentication.
- secure certificates can be stored and then be made available to the client device 203 that has been authenticated in order to encrypt the secure communications channel and/or for other functions.
- compliance rules include one or more rules that, when violated, can cause the device management service 204 to issue a management command.
- Compliance rules can include a list of unauthorized hardware functions, software functions, or applications that potentially pose a threat to enterprise data or to the use of enterprise applications.
- a management command can be transmitted to the client device 203 instructing the client device 203 to perform one or more actions specified by the compliance rule.
- a compliance rule can also reside on the client device 203 , which can self-enforce compliance rules.
- the management data store 213 can also include user account data.
- User account data can include information with which a user account can be authenticated, such as user credentials.
- User account data can also include data such as email, contact, calendar data, documents, files or other data that is associated with a user account.
- Device data can represent data stored in the management data store 213 that is associated with client devices 203 that are enrolled with the device management service 204 as managed devices.
- Device data can include a unique device identifier associated with the client device 203 , device policies that are associated with a particular client device 203 , status information associated with a particular client device 203 , and other data that facilitates management of the client device 203 by the device management service 204 .
- Device data can also include user data that is synchronized with a particular client device 203 .
- a user account can be associated with multiple client devices 203 . Different client devices 203 associated with a user account can have different user account data stored thereon. For example, a user's smartphone can have a certain number of documents or email messages stored on the device, whereas the user's laptop or tablet can have varying amounts of types of user account data stored on the device.
- the identity provider 206 can provide a federated identity service on behalf of the service providers 209 .
- the identity provider 206 can be in communication with an identity data store 215 that stores information associated with user identities. This information can include, for example, usernames, security credentials, biometric identity information, authorized client applications, unauthorized client applications, authorized client devices 203 , unauthorized client devices 203 , and so on.
- users are able to authenticate by way of the identity provider 206 in order to access services provided by the multiple service providers 209 .
- the identity provider 206 can include a plurality of platform adapters 216 to facilitate platform-specific authentication on different client platforms, such as IOS, ANDROID, WINDOWS, and so on.
- the KDC 207 can authenticate a client device 203 according to a version of the Kerberos protocol.
- the KDC 207 can be configured to issue a ticket-granting ticket, which is time-stamped, and encrypt it using the credentials supplied by the client device 203 .
- the KDC 207 can also issue service tickets to client devices 203 in response to receiving a previously issued ticket-granting ticket.
- the certificate authority 208 generates and issues digital certificates to computing devices, such as client devices 203 .
- the certificate authority 208 can also track which computing device (e.g., client device 203 ) a particular certificate has been issued to.
- the certificate authority 208 can also revoke a certificate by marking it as invalid and publishing a certificate revocation list to notify other services or computing devices that a previously issued certificate is no longer valid.
- Digital certificates issued by the certificate authority 208 can be used to certify ownership of public or private cryptographic keys in order to facilitate authentication of the identity of a client device 203 or its user, facilitate authentication of a server or service application (e.g., a service provider 209 ), and to establish encrypted communications between two or more computing devices.
- a server or service application e.g., a service provider 209
- the service providers 209 provide corresponding services for client applications.
- the services can include, for example, social networking services, email services, voice communication services, enterprise information management services, productivity services, game services, and so on.
- one or more of the service providers 209 can authenticate users separately from the identity provider 206 , thereby giving users the option to log in either with the identity provider 206 or with the service provider 209 directly.
- the service providers 209 and the identity provider 206 can communicate with the client device 203 over the network 212 by way of hypertext transfer protocol (HTTP), simple object access protocol (SOAP), representational state transfer (REST), and/or other protocols.
- HTTP hypertext transfer protocol
- SOAP simple object access protocol
- REST representational state transfer
- the OCSP service 210 can provide the revocation status of a certificate issued by the certificate authority 208 in response to a request that complies with a version of the online certificate status protocol (OCSP). Accordingly, the OCSP service 210 may periodically retrieve a certificate revocation list (CRL) from the certificate authority 208 in order to track which certificates issued by the certificate authority 208 are currently valid. The OCSP service 210 can then compare the identifier of a certificate included in an OCSP request with the CRL retrieved from the certificate authority 208 to determine the current status of the certificate identified in the OCSP request and provided an appropriate response.
- CTL certificate revocation list
- the client device 203 can represent a processor-based system, such as a computer system, that can be embodied in the form of a desktop computer, a laptop computer, a personal digital assistant, a cellular telephone, a smartphone, a set-top box, a music player, a web pad, a tablet computer system, a game console, an electronic book reader, or any other device with like capability.
- the client device 203 can include a display 218 that includes, for example, one or more devices such as liquid crystal display (LCD) displays or other types of display devices.
- the client device 203 can also be equipped with networking capability or networking interfaces, including a localized networking or communication capability such as an NFC capability, RFID read and/or write capability, a microphone and/or speaker, or other localized communication capability.
- the client device 203 can execute various applications, such as an operating system 219 , a management application 221 , a plurality of client applications 224 a . . . 224 N, and other applications, services, or processes.
- the operating system 219 can provide access to hardware or software resources of the client device 203 to the management application 221 or one or more client applications 224 a . . . 224 N.
- the operating system 219 can also provide various functions to the management application 221 or client applications 224 a . . . 224 N.
- Examples of operating systems 219 include various versions of APPLE IOS, GOOGLE ANDROID, and MICROSOFT WINDOWS.
- the management application 221 can receive security credentials from a user and to authenticate with the device management service 204 . Upon authentication with the device management service 204 , the management application 221 is able to obtain management credentials 225 , which in turn allow the client applications 224 to request identity assertions from the identity provider 206 in order to authenticate the client applications 224 with the respective service providers 209 as will be described. Although described as an application, it is understood that the management application 221 can be an integral component of the operating system 219 of the client device 203 . Also, in some scenarios, the management credentials 225 can be provisioned directly to the operating system for all client applications 224 to use.
- the management credentials 225 can be stored in the operating system itself in these scenarios.
- Various access rules 226 can restrict which client applications 224 are permitted to use the management credentials 225 for authenticating with identity providers 206 .
- the access rules 226 can be maintained and enforced by the identity provider 206 .
- SAML security assertion markup language
- SAML contains a packet of security information that service providers 209 use to make access control decisions.
- SAML supports three types of statements: authentication statements, attribute statements, and authorization decision statements.
- Authentication statements assert to the service provider 209 that the client device 203 authenticated with the identity provider 206 at a particular time using a particular method of authentication.
- An attribute statement asserts that a client device 203 is associated with certain attributes.
- An authorization decision statement asserts that a client application 224 is permitted to perform a certain action relative to a resource offered by the service provider 209 .
- Extensible access control markup language (XACML) and/or other languages can be employed.
- the client applications 224 correspond to a variety of applications that are employed to access services provided by the service providers 209 .
- the client applications 224 can include a web view component, whereby the client applications 224 interact with the service providers 209 to obtain network content by way of hypertext transfer protocol (HTTP) requests and responses.
- HTTP hypertext transfer protocol
- the client applications 224 and the management application 221 can individually render a respective user interface 227 upon the display 218 .
- FIG. 3 shown is a sequence diagram 300 illustrating one example of interaction between the client application 224 , the management application 221 , the device management service 204 , the service provider 209 , and the identity provider 206 .
- Functionality attributed to the client application 224 , the management application 221 , the device management service 204 , the service provider 209 , and the identity provider 206 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the client application 224 sends an access request to the service provider 209 .
- the service provider 209 sends a redirection back to the client application 224 that causes client application 224 to redirect the access request to the identity provider 206 .
- the client application 224 sends an identity assertion request to the identity provider 206 .
- the identity provider 206 detects the type of client application 224 and the platform and responds by requesting authentication by way of a management credential 225 for the specific platform. This can correspond to a certificate challenge or a Kerberos challenge.
- the client application 224 requests the management credential 225 from the management application 221 .
- the management application 221 obtains one or more security credentials from the user by way of a user interface 227 . This step can occur upon initial launch of the management application 221 , with the credentials being stored in various scenarios locally by the management application 221 or on a cloud server, such as identity data store 215 , to provide a single sign-on experience for future accesses.
- the management application 221 sends an authentication request to the device management service 204 .
- the authentication request can specify the security credentials obtained from the user.
- the device management service 204 sends the management credential 225 to the management application 221 .
- the management application 221 returns the management credential 225 to the client application 224 .
- the client application 224 uses the management credential 225 to authenticate with the identity provider 206 .
- the identity provider 206 returns the identity assertion to the client application 224 at step 333 .
- the client application 224 provides the identity assertion to the service provider 209 .
- the service provider 209 verifies the identity assertion.
- the service provider 209 generates a session token, such as an OAuth token, and returns the session token at step 342 .
- Single sign-on is thereby implemented for subsequent client applications 224 or for the client application 224 seeking to authenticate with another service provider 209 .
- the process can repeat again for the client applications 224 a . . . 224 N.
- the user need not enter security credentials again for authenticating client application 224 b , unless perhaps due to inactivity or other events that could cause the identity of the user to be in question.
- Steps 315 , 318 , 321 , 324 , and 327 can be executed during the initial access to the client application 224 a , but these steps can subsequently be omitted for access to the client application 224 b since the management application 221 will have already obtained the management credential 225 .
- the credentials can be stored by the management application 221 and automatically entered at step 318 without user input.
- the user interface can remain stable to avoid “flipping” back and forth, making the process seamless to a user.
- FIG. 4 shown is a flowchart that provides one example of the operation of an identity provider 206 .
- the flowchart of FIG. 4 can be viewed as depicting an example of elements of a method implemented in a computing device.
- Functionality attributed to the identity provider 206 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the identity provider 206 receives an identity assertion request from a client application 224 .
- the client application 224 has been redirected to the identity provider 206 by a service provider 209 .
- the redirection can be performed, for example, by way of a hypertext transfer protocol (HTTP) redirection response having status code 302 .
- HTTP hypertext transfer protocol
- the identity provider 206 in some scenarios can determine that the client application 224 corresponds to a mobile application web view instead of a browser.
- the client application 224 can send a user-agent string to the identity provider 206 within an HTTP request.
- the user-agent string can identify whether the request originates from a specific browser or from a web view of a native application.
- an alternative form of single sign-on for identity federation can be used, as cookies set by the identity provider 206 can be accessed by different service providers 209 .
- the cookies cannot be shared among different applications without the use of specialized software development kits (SDKs).
- the identity provider 206 can be configured to deny access if the client application 224 is a browser or an unmanaged application.
- the identity provider 206 determines a platform of the client device 203 .
- the identity provider 206 can determine the platform also by examining the user-agent string of the HTTP request. For example, the identity provider 206 can determine that the client device 203 corresponds to IOS, ANDROID, WINDOWS, BLACKBERRY, or other platforms based at least in part on corresponding identifiers contained in the user-agent string.
- the identity provider 206 requests authentication by management credential 225 based at least in part on the detected platform of the client device 203 .
- the identity provider 206 can request authentication using a platform-specific management credential 225 after querying a table of platforms based at least in part on information provided by the client device 203 .
- the management credential 225 can include a secure certificate, a Kerberos profile, or other credentials. Accordingly, to allow single sign-on from differing platforms, the platform adapter 216 can request the type of management credential 225 that is appropriate for the client device 203 that is requesting access.
- a platform adapter 216 corresponding to an IOS-specific certificate adapter or Kerberos adapter can be used, such as an esso profile.
- a platform adapter 216 corresponding to a certificate adapter can be used.
- the OSX operating system can use a keychain, and WINDOWS 10 can use account provider credentials.
- the request for authentication can be performed by returning an HTTP response having status code 401 , indicating that authorization is required. Further, the HTTP response can specifically request authentication by a particular protocol, such as the Kerberos protocol, through the use of a management credential 225 .
- the identity provider 206 determines whether the client device 203 corresponds to a managed device. If the client device 203 is a managed device, the authentication of step 408 would complete properly. If the authentication of step 408 fails, the client device 203 can be presumed to be unmanaged. If the client device 203 does not correspond to a managed device, the identity provider 206 continues to step 411 . If the client device 203 does correspond to a managed device, the identity provider 206 moves to step 412 .
- the identity provider 206 receives data associated with or generated by the management credential 225 .
- the identity provider 206 determines that the presented management credential 225 is valid for the requested identity assertion.
- the identity provider 206 can verify whether the management credential 225 is permitted to be used to authenticate specific client applications 224 or for specific service providers 209 .
- the identity assertion is generated and sent to the client application 224 .
- the identity assertion can include security assertion markup language (SAML), extensible access control markup language (XACML), or other data. Thereafter, the process proceeds to completion.
- the identity provider 206 determines whether the client application 224 is permitted to execute on an unmanaged device according to a policy. If the client application 224 is not permitted to execute on an unmanaged device, the identity provider 206 moves from step 411 to step 424 and blocks the authentication of the client application 224 and an unauthorized message may be returned. Thereafter, the process proceeds to completion.
- the identity provider 206 moves from step 411 to step 427 , and the identity provider 206 requests authentication by user-supplied credentials, such as a username and password, biometric credentials, multi-factor credentials, and so on.
- the identity provider 206 receives and validates the user-supplied credentials from the client application 224 .
- the identity provider then moves to step 421 , where the identity assertion is generated and sent to the client application 224 .
- the identity assertion can include security assertion markup language (SAML), extensible access control markup language (XACML), or other data. Thereafter, the process proceeds to completion.
- SAML security assertion markup language
- XACML extensible access control markup language
- FIG. 5 shown is a flowchart that provides one example of the operation of a device management service 204 .
- Functionality attributed to the device management service 204 can be implemented in a single process or application or in multiple processes or applications.
- the separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the device management service 204 receives an enrollment request from a client device 203 .
- a user can navigate to a certain uniform resource locator (URL) in a browser, the management application 221 can be installed on the client device 203 , and a user can accept the terms of the enrollment.
- a platform-specific management certificate can be sent to the management application 221 .
- the platform-specific management certificate can be received within a profile which the client device 203 installs in a profile store as the management profile.
- the device management service 204 receives an authentication request from the management application 221 of the client device 203 .
- the request can specify one or more security credentials, such as usernames, passwords, biometric identification, one-time passwords, and so on.
- the device management service 204 determines that the security credentials that have been presented are valid. If the security credentials are not valid, an error can be generated.
- the device management service 204 sends one or more management credentials 225 to the client device 203 .
- the management credentials 225 can be generated by a certificate authority corresponding to the device management service 204 .
- the management credentials 225 can be employed to create a secure communications channel between the device management service 204 and the management application 221 for device management purposes. Thereafter, the process proceeds to completion.
- FIG. 6 shown is a flowchart that provides one example of the operation of a management application 221 .
- Functionality attributed to the management application 221 can be implemented in a single process or application or in multiple processes or applications.
- the separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the management application 221 receives a single sign-on request from a client application 224 .
- the client application 224 can be prompted to use a management credential 225 in order to authenticate with an identity provider 206 .
- the management application 221 determines whether the user is already authenticated. If the user is not already authenticated, the management application 221 moves to step 609 and renders a user interface 227 on the display 218 that requests one or more security credentials from the user.
- the management application 221 receives the security credentials through the user interface 227 .
- the management application 221 continues to step 615 . If the user is already authenticated by the management application 221 , the management application 221 moves directly from step 606 to step 615 .
- the management application 221 determines whether the client application 224 is authorized to receive the management credential 225 .
- the management application 221 can make this determination with respect to the access rules 226 or by way of communication with the device management service 204 .
- Examples of access rules 216 include detecting whether a device is jailbroken, uses a password of a given length or complexity, is used within a certain geographic area, has certain applications installed, has certain hardware devices (e.g., a fingerprint reader), and/or other meets other criteria relevant to the organization for whom the client device 203 is managed. If the client application 224 is not authorized, the management application 221 moves to step 618 and rejects the request. Thereafter, the process proceeds to completion.
- the management application 221 moves to step 621 and determines whether the management credential 225 has been cached in the client device 203 . If the management credential 225 has been cached, the management application 221 loads the management credential 225 from the cache at step 624 . At step 625 , the management application 221 provides the management credential 225 to the client application 224 . Thereafter, the process proceeds to completion.
- the management application 221 moves from step 621 to step 627 and authenticates with the device management service 204 . To this end, the management application 221 can authenticate using the user-supplied credentials or a session or registration token.
- the management application 221 sends a request for the management credential 225 to the device management service 204 .
- the management application 221 receives the management credential 225 from the device management service 204 .
- the management application 221 provides the management credential 225 to the client application 224 . Thereafter, the process proceeds to completion.
- FIG. 7 shown is a flowchart that provides one example of the operation of a client application 224 .
- Functionality attributed to the client application 224 can be implemented in a single process or application or in multiple processes or applications.
- the separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the client application 224 sends an access request to a service provider 209 .
- the client application 224 receives a redirection to the identity provider 206 .
- the redirection can include a hypertext transfer protocol (HTTP) redirection response having status code 302 .
- HTTP hypertext transfer protocol
- the client application 224 sends an identity assertion request to the identity provider 206 .
- the client application 224 receives a response requesting authentication by a management credential 225 .
- the client application 224 obtains the management credential 225 from the management application 221 .
- the client application 224 can send a request by a local uniform resource locator (URL) to the management application 221 and can also receive a response from the management application 221 by a local URL.
- the local URL used to invoke the management application 221 can include callback information such as a scheme name corresponding to the client application 224 so that the management application 221 can identify the client application 224 and return the requested management credential 225 .
- the client application 224 sends data associated with or generated by the management credential 225 to the identity provider 206 .
- the client application 224 receives an identity assertion from the identity provider 206 .
- the identity assertion can correspond to a security assertion markup language (SAML) assertion or another assertion.
- SAML security assertion markup language
- the client application 224 authenticates with the service provider 209 using the identity assertion.
- the client application 224 receives a session token from the service provider 209 .
- the session token can correspond to an OAuth token.
- the client application 224 can authenticate with the service provider 209 to access resources. Thereafter, the process proceeds to completion.
- FIG. 8 shown is a flowchart that provides one example of the operation of a service provider 209 .
- the flowchart of FIG. 8 can be viewed as depicting an example of elements of a method implemented in a computing device.
- Functionality attributed to the service provider 209 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the service provider 209 receives an access request from a client application 224 .
- the service provider 209 then correlates this access request to the use of the identity provider 206 for authentication.
- the service provider 209 sends a redirection response to the client application 224 .
- This can include a hypertext transfer protocol (HTTP) redirection response with status code 302 .
- the redirection response can redirect the client application 224 to the identity provider 206 .
- the redirection response can include security assertion markup language (SAML) that requests an identity assertion.
- SAML security assertion markup language
- the service provider 209 receives the identity assertion from the client application 224 .
- the service provider 209 verifies the identity assertion.
- the identity assertion can include an authentication token generated by the identity provider 206 , and the service provider 209 can confirm that the authentication token is authentic.
- the service provider 209 generates a session token.
- the service provider 209 sets a session cookie including the session token with the client application 224 .
- the service provider 209 provides service access to the client application 224 based at least in part on the client application 224 presenting the session token, by way of a uniform resource locator (URL) or session cookie. Thereafter, the process can proceed to completion.
- URL uniform resource locator
- FIG. 9 shown is a sequence diagram 900 illustrating one example of interaction between the client application 224 , the operating system 219 , the certificate authority 208 , the identity provider 206 , the platform adaptor 216 , the KDC 207 , the OCSP service 210 , and the service provider 209 .
- Functionality attributed to the client application 224 , the operating system 219 , the certificate authority 208 , the identity provider 206 , the platform adaptor 216 , the KDC 207 , the OCSP service 210 , and the service provider 209 can be implemented in a single process or application or in multiple processes or applications.
- the separation or segmentation of functionality as discussed herein is presented for illustrative purposes only.
- the management application 221 can enroll the client device 203 with the certificate authority 208 . Enrollment of the client device 203 with the certificate authority 208 can occur as part of the process for enrolling the client device 203 with the device management service 204 . As part of the enrollment process, the client device 203 can provide the certificate authority 208 with a device identifier, which allows the certificate authority 208 to track which certificates have been issued to the client device 203 .
- the certificate authority 208 can provision a certificate for the client device 203 and can specify a KDC 207 to be used by the client device 203 .
- the certificate authority 208 can generate the certificate to be used by the client device 203 , cryptographically sign the certificate to verify its authenticity, and send the newly generated and signed certificate to the client device 203 for future use.
- the management application 221 can store the provisioned certificate along with any other management credentials 225 stored on the client device 203 .
- the certificate authority 208 can also send the identity (e.g. URL or IP address) of the KDC 207 to the client device 203 to be used for future Kerberos authentication using the provisioned certificate.
- the client application 224 can be launched.
- the client application 224 can be launched in response to a user interaction with the client device 203 or in response to a request or command from another application (e.g., one application initiating execution of another application).
- the client application 224 can send a request for authentication to the service provider 209 .
- the authentication request may include the identity of the client device 203 , the client application 224 , and potentially other information.
- the authentication request can be sent using a variety of protocols.
- the authentication request can be sent to the service provider 209 in compliance with a version of the hypertext transfer protocol (HTTP).
- HTTP hypertext transfer protocol
- the service provider 209 can send a response to the client application 224 that redirects the client application 224 to the identity provider 206 .
- the service provider could send an HTTP response with a redirect status code (e.g., 301 , 302 , 303 , 307 , or 308 ) that specifies the URL of the identity provider 206 .
- the response can also include a SAML Authentication Request.
- the redirection can be implemented through a SAML HTTP Redirect Binding.
- the SAML Authentication Request can also specify what types of authentication schemes (e.g., Kerberos) should be used to authenticate the client device 203 or client application 224 .
- the client application 224 can send an authentication request to the identity provider 206 .
- the client application 224 could send the SAML Authentication Request it had previously received at step 916 to the identity provider 206 specified by the SAML HTTP Redirect Binding.
- the identity provider 206 can attempt to authenticate the client application 224 with the platform adapter 216 .
- the identity provider 206 can supply the information included in the SAML Authentication Request or otherwise supplied by the client application 224 to the platform adapter 216 . If multiple platform adapters 216 are available, then the identity provider 206 may select either a default platform adapter 216 or a platform adapter specified in the SAML Authentication Request (e.g., a platform adapter 216 that provides Kerberos authentication). The identity provider 206 can then wait for the platform adapter 216 to respond to the authentication attempt of the identity provider 206 .
- the platform adapter 216 can determine that the initial authentication request contains insufficient information to perform Kerberos authentication. The platform adapter 216 therefore can send a Kerberos challenge to the client application 224 . In some implementations, the initial authentication request will be expected to fail because a Kerberos authentication has not yet been performed.
- the operating system 219 e.g., iOS
- the operating system 219 can then send the certificate previously provisioned in step 906 to the KDC 207 previously configured in step 906 in order to obtain a service ticket to present to the platform adapter 216 in response to the Kerberos challenge.
- the KDC 207 can determine whether the certificate provided by the operating system 219 has been revoked. For example, the KDC 207 can send the certificate's fingerprint or other identifying information about the certificate to an OCSP service 210 to verify that the certificate is still valid. However, in alternative implementations, the KDC 207 could request a certificate revocation list from the certificate authority 208 and determine whether the certificate is included in the certificate revocation list.
- the OCSP service 210 can determine the revocation status of the certificate. For example, the OCSP service 210 could compare the certificate's unique identifier to a list of identifiers of revoked certificates previously issued by the certificate authority 208 . As another example, the OCSP service 210 could compare the certificate's unique identifier to a list of identifiers of certificates issued by the certificate authority 208 that are known to still be valid. If the certificate is still valid, the OCSP service 210 can send a response to the KDC 207 indicating that the certificate is still valid.
- the KDC 207 can provide a ticket-granting ticket to the operating system 219 based on the validation of the certificate by the OCSP service 210 .
- the operating system 219 can send a request for a service ticket to the KDC 207 .
- the service ticket may be associated with one or more service providers 209 , allowing a client device 203 that has the service ticket to access each of the associated service providers 209 for as long as the service ticket remains valid.
- the KDC 207 can generate a service ticket and can provide it to the operating system 219 .
- the KDC 207 first determines that the ticket-granting ticket received from the operating system 219 is valid (e.g., has not expired or was previously issued by the KDC 207 or another trusted KDC 207 ).
- the KDC 207 can also check any access permissions associated with the ticket-granting ticket (e.g., whether the ticket-granting ticket authorized to receive a service ticket for access to a particular service provider 209 ).
- the KDC 207 Assuming that the ticket-granting ticket is valid and the access permissions associated with ticket-granting ticket permit the client device 203 to access the service provider 209 , the KDC 207 generates the service ticket and sends it to the operating system 219 . Moving on to step 949 , the operating system 219 provides the service ticket to the platform adapter 216 .
- the platform adapter 216 receives and validates the service ticket. For example, the platform adapter 216 can verify the validity of the service ticket (e.g., issued by authorized KDC 207 , has not expired, or similar checks) and whether the service ticket permits access to the request service provider 209 . If the service ticket is valid and can be used to access the service provider 209 , the platform adapter 216 then responds (e.g. using a function callback) to the login request submitted by the identity provider 206 indicating that the client application 224 is authenticated and authorized to access the service provider 209 .
- the platform adapter 216 responds (e.g. using a function callback) to the login request submitted by the identity provider 206 indicating that the client application 224 is authenticated and authorized to access the service provider 209 .
- the identity provider 206 sends a SAML response to the client application 224 granting access to the service provider 209 .
- the SAML response may include information that was included in the service ticket, such as a username or similar identifier, as well as an assertion that the client application 224 is authorized to access the service provider 209 .
- the client application 224 sends the SAML response received from the identity provider 206 to the service provider indicating that the login was successful.
- the service provider 209 can validate or verify the information in the SAML response and then grant the client application 224 access to the service provider 209 .
- the service provider 209 begins to send application data to the client application 224 in response to requests from the client application 224 .
- each element can represent a module of code or a portion of code that includes program instructions to implement the specified logical function(s).
- the program instructions can be embodied in the form of, for example, source code that includes human-readable statements written in a programming language or machine code that includes machine instructions recognizable by a suitable execution system, such as a processor in a computer system or other system.
- each element can represent a circuit or a number of interconnected circuits that implement the specified logical function(s).
- the client device 203 , the device management service 204 , the identity provider 206 , the service providers 209 , or other components described herein can include at least one processing circuit.
- a processing circuit can include, for example, one or more processors and one or more storage devices that are coupled to a local interface.
- the local interface can include, for example, a data bus with an accompanying address/control bus or any other suitable bus structure.
- the one or more storage devices for a processing circuit can store data or components that are executable by the one or more processors of the processing circuit.
- the device management service 204 , the identity provider 206 , the service providers 209 , the management application 221 , the client applications 224 , and/or other components can be stored in one or more storage devices and be executable by one or more processors.
- a data store, such as the identity data store 215 or the management data store 213 can be stored in the one or more storage devices.
- the identity provider 206 , the device management service 204 , the service providers 209 , the management application 221 , the client applications 224 , and/or other components described herein can be embodied in the form of hardware, as software components that are executable by hardware, or as a combination of software and hardware. If embodied as hardware, the components described herein can be implemented as a circuit or state machine that employs any suitable hardware technology.
- the hardware technology can include, for example, one or more microprocessors, discrete logic circuits having logic gates for implementing various logic functions upon an application of one or more data signals, application specific integrated circuits (ASICs) having appropriate logic gates, programmable logic devices (e.g., field-programmable gate array (FPGAs), and complex programmable logic devices (CPLDs)).
- ASICs application specific integrated circuits
- FPGAs field-programmable gate array
- CPLDs complex programmable logic devices
- one or more or more of the components described herein that include software or program instructions can be embodied in any non-transitory computer-readable medium for use by or in connection with an instruction execution system such as, a processor in a computer system or other system.
- the computer-readable medium can contain, store, and/or maintain the software or program instructions for use by or in connection with the instruction execution system.
- a computer-readable medium can include a physical media, such as, magnetic, optical, semiconductor, and/or other suitable media.
- Examples of a suitable computer-readable media include, but are not limited to, solid-state drives, magnetic drives, or flash memory.
- any logic or component described herein can be implemented and structured in a variety of ways. For example, one or more components described can be implemented as modules or components of a single application. Further, one or more components described herein can be executed in one computing device or by using multiple computing devices.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
- This continuation-in-part application claims priority to, and the benefit of, U.S. patent application Ser. No. 14/739,975, entitled “SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES” and filed on Jun. 15, 2015. This application is also related to U.S. patent application Ser. No. 14/739,980, entitled “SINGLE SIGN-ON FOR MANAGED MOBILE DEVICES” and filed on Jun. 15, 2015, under Attorney Docket Number W205.02. This application is further related to U.S. patent application Ser. No. 14/739,983, entitled “SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES” and filed on Jun. 15, 2015 under Attorney Docket Number W204.01. In addition, this application is related to U.S. patent application Ser. No. 14/739,972, entitled “SINGLE SIGN-ON FOR UNMANAGED MOBILE DEVICES” and filed on Jun. 15, 2015 under Attorney Docket Number W204.02. Each of these applications is incorporated herein by reference in its entirety.
- Users may have many different accounts for a multitude of applications and services. Examples of applications and services may include social networking services, file sharing services, email services, voice communication services, office productivity services, task tracking services, and still others. A user may have to establish a corresponding username and password to authenticate for each account. This becomes a difficult and inconvenient practice where numerous accounts are involved. Accordingly, users may set weak passwords that are short or otherwise easy to remember, share passwords among multiple accounts, use third-party password managers, or engage in other practices that might be regarded as insecure.
- The concept of identity federation arose as a solution to this problem. Under identity federation, a user establishes an account with a federated identity provider. To this end, the user specifies a single set of security credentials. The federated account is then linked to a multiplicity of applications and services that are provided by other organizations. When the user seeks to access applications and services that are linked to the federated account, the user can simply provide the single username, password, or other credentials of the federated account for authentication. In like manner, an organization such as an enterprise may use a directory service such as ACTIVE DIRECTORY by MICROSOFT CORPORATION in order to provide a single log-in for each of multiple applications and services of the organization.
- Despite the availability of identity federation, the end user experience may still be suboptimal. Even assuming that users are able to employ a single federated account for multiple applications and services, the users may be required to enter the federated account credentials separately. For example, suppose that a user logs in with a social networking application provided by a social networking service provider that is also a federated identity provider. Subsequently, the user may want to use a file sharing application that is linked to the federated identity provider. The user may then have to supply the same username and password that was previously entered for the social networking application. Repetitively entering these security credentials for each application and service may frustrate users.
- Many aspects of the present disclosure can be better understood with reference to the following drawings. The components in the drawings are not necessarily to scale, with emphasis instead being placed upon clearly illustrating the principles of the disclosure. Moreover, in the drawings, like reference numerals designate corresponding parts throughout the several views.
-
FIG. 1 is a drawing illustrating an example scenario of the disclosure. -
FIG. 2 is a drawing of a networked environment according to various examples of the disclosure. -
FIG. 3 is a sequence diagram illustrating an example component interaction according to various examples of the present disclosure. -
FIGS. 4-8 are flowcharts illustrating examples of functionality according to various examples of the present disclosure. -
FIG. 9 is a sequence diagram illustrating an example implementation of an embodiment of the present disclosure using Kerberos. - The present disclosure relates to providing a single sign-on experience for users of mobile devices. With a single sign-on experience, a user enters or obtains a single set of security credentials for an account and, upon authentication, the user is able to access multiple different applications and services that are linked to that account. Multi-factor authentication can also be employed where the user is required to provide a combination of knowledge, possession, or biometric authentication factors. As contemplated herein, the term “single sign-on” can include scenarios in which a user is required to re-enter security credentials due to session timeouts, inactivity periods, suspicious activities, or other events that could cause authentication of the user to be doubted.
- In the context of a web browser, a single sign-on experience can be enabled by way of cookies. In response to a user logging in with a federated identity provider, a cookie can be stored on the user's device that contains a token indicating authentication. When the user later accesses another network site that supports authentication by way of the federated identity provider, the cookie is presented and the token can be exchanged for a site-specific token. Consequently, the user does not have to log in again to access the network site.
- However, the single sign-on design paradigm from the browser context does not function in the context of mobile applications. Although mobile applications can invoke web views, cookies that are part of a web view invoked within a mobile application cannot be accessed in other mobile applications or by a browser. Even assuming that a user logs into a federated account by way of a first mobile application, the cookies and application tokens that indicate successful authentication are not made available to a second mobile application because they can have separate webviews. As will be described, various implementations of the present disclosure facilitate single sign-on within mobile applications and other applications that embody this limitation. Moreover, according to the present disclosure, the requirement to use a particular software development kit (SDK) for each application in order to implement single sign-on can be rendered unnecessary.
- Specifically, in the present disclosure, examples are disclosed that enable a single sign-on experience for mobile devices that are managed. With reference to
FIG. 1 , shown is a pictorial diagram of an example single sign-onscenario 100. At 101, a user launches a management application that can manage applications upon the user's mobile device. The management application can be a native mobile application or a web-based management application accessed from a browser. The management application renders a user interface configured to receive login information for a device management service. Specifically in this example, the user interface includes a form configured to receive a username and a password. Other security credentials or authentication factors can be elicited in other examples. After the user enters the information, the user selects a log-in entry component. - Upon entering correct log-in information, the user is authenticated, and the user interface can then be updated to indicate to the user that the log-in was successful at 102. Subsequently, the user can launch or access other managed applications on the mobile device, such as a social networking application at 103, an email application at 104, or a
file sharing application 105. These applications can communicate with an external service. Because the user has already been authenticated through the device management application, these applications indicate that the user is already authenticated. Consequently, the user does not have to provide login information for the applications separately, and the user is able to use the services accessed through the respective applications. - With reference to
FIG. 2 , shown is anetworked environment 200 according to various examples. Thenetworked environment 200 includes aclient device 203, adevice management service 204, anidentity provider 206, a key distribution center (KDC) 207, acertificate authority 208, a plurality ofservice providers 209 a . . . 209N, and an online certificate status protocol (OSCP)service 210, which can be in data communication with one another over thenetwork 212. Thenetwork 212 includes, for example, the Internet, one or more intranets, extranets, wide area networks (WANs), local area networks (LANs), wired networks, wireless networks, other suitable networks, or any combination of two or more such networks. For example, the networks can include satellite networks, cable networks, Ethernet networks, and other types of networks. - The
device management service 204, theidentity provider 206, theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can include, for example, a server computer or any other system providing computing capabilities. Alternatively, thedevice management service 204, theidentity provider 206, theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can employ multiple computing devices that can be arranged, for example, in one or more server banks, computer banks, or other arrangements. The computing devices can be located in a single installation or can be distributed among many different geographical locations. For example, thedevice management service 204, theidentity provider 206, theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can include multiple computing devices that together form a hosted computing resource, a grid computing resource, or any other distributed computing arrangement. In some cases, thedevice management service 204, theidentity provider 206, theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can operate as at least a portion of an elastic computing resource where the allotted capacity of processing, network, storage, or other computing-related resources can vary over time. Thedevice management service 204, theidentity provider 206 theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can also include or be operated as one or more virtualized computer instances. Generally, thedevice management service 204, theidentity provider 206 theKDC 207, thecertificate authority 208, theservice providers 209, and theOCSP service 210 can be operated in accordance with particular security protocols such that they are considered trusted computing environments. - The
device management service 204 can manage or oversee the operation ofmultiple client devices 203. In some examples, an enterprise, such as one or more companies or other organizations, can operate thedevice management service 204 to oversee or manage the operation of theclient devices 203 of employees, contractors, or other users within an enterprise environment. In this sense, theclient devices 203 can include managed devices that are managed by thedevice management service 204. - To facilitate management of
client devices 203, thedevice management service 204 can establish a secure communications channel with the client devices 203 (e.g., a mobile device management channel, or MDM channel). Thedevice management service 204 can establish the secure communications channel by creating a secure communication link with theclient device 203. A secure communication link can be established using MDM application programming interfaces (APIs) that are provided by an operating system executed by theclient device 203. In some examples, the secure communications channel can be established using a push notifications framework or notification service provided by an operating system ecosystem associated with theclient device 203 that allows for communications between thedevice management service 204 and aclient device 203 over thenetwork 212 that are encrypted using a digital certificate. - The
client device 203 can be enrolled as a managed device with thedevice management service 204 through APIs provided by the operating system. The enrollment process can include authentication of a user's credentials. Upon authentication of a user's credentials by thedevice management service 204, theclient device 203, using the MDM APIs of the operating system, can enroll theclient device 203 as a managed device so that various management functions can be securely performed over the secure communications channel. - Examples of management functions can include commands to erase certain data from the
client device 203, commands to install certain applications or application updates, commands to lock aclient device 203 or activate a display lock feature, a command to remotely perform a factory reset of theclient device 203, or other management functions. Additionally, data can be securely transmitted through the secure communications channel to theclient device 203 or applications executed by theclient device 203. - Additionally, the operating system of the
client device 203 can also provide the ability to create access-restricted storage that is associated with particular applications installed on theclient device 203. Access-restricted storage can be associated with multiple applications that are installed on theclient device 203 through the secure communications channel. In some scenarios, applications that are signed by a common certificate can be provided access to the access-restricted storage of each other, whereas applications that are not signed by the certificate do not have access to the access-restricted storage of other applications. Additionally, thedevice management service 204 can transmit data to theclient device 203 over the secure communications channel that can be stored in the access-restricted storage such that it is accessible by certain applications and inaccessible to other applications that are installed on theclient device 203. - The secure communications channel can be encrypted or secured using a digital certificate that is associated with the
client device 203, thedevice management service 204, or an enterprise with which theclient device 203 is associated. In one scenario, thedevice management service 204 can obtain a security certificate, such as a secure sockets layer (SSL) certificate, that is unique to a particular enterprise with which aclient device 203 is associated. In one example, an administrator associated with the enterprise can provide a certificate to thedevice management service 204 using an administrator console or other functionality with which a certificate can be uploaded. The certificate can also be signed by a certificate authority, which can in some cases be operated by thedevice management service 204. Thedevice management service 204 can encrypt or secure the secure communications channel using the certificate so that the secure communications channel is a secure communication link over thenetwork 212 through which data can be sent to theclient device 203. - Additionally, the
device management service 204 can specify that data sent through the secure communications channel can only be accessed by certain applications installed on theclient device 203. The applications that can access data sent through the secure communications channel can also be restricted in how certain data can be manipulated, viewed or handled on theclient device 203. For example, an application installed on theclient device 203 can be coded to restrict the ability of a user to capture, share, or otherwise remove data from theclient device 203 that is received through the secure communications channel. - The
device management service 204 can also facilitate ensuring thatclient devices 203 that are administered by thedevice management service 204 are operating in compliance with various compliance rules. In one scenario, thedevice management service 204 can issue management commands that instruct aclient device 203 to take a particular action with respect to a compliance rule. For example, if aclient device 203 is designated as lost or stolen, thedevice management service 204 can issue a command instructing theclient device 203 to erase data and applications that were previously sent to theclient device 203 through the secure communications channel or other communication links and otherwise stored on theclient device 203. Thedevice management service 204 can also obtain data from a third party computing environment, such as an application, a security code, authentication token, or other data. As another example, if thedevice management service 204 determines that aclient device 203 has violated a compliance rule with respect to having unauthorized modifications or unauthorized applications installed on theclient device 203, thedevice management service 204 can issue a command instructing theclient device 203 to erase data and applications stored on theclient device 203. As a further example, thedevice management service 204 can also issue a command instructing theclient device 203 to activate a display lock of theclient device 203 that requires a user to enter a personal identification number (PIN) in order to use theclient device 203. - The data stored in the
management data store 213 and available to thedevice management service 204 includes, for example, authentication data, compliance rules, device data, and potentially other data. The authentication data can include data used to verify one or more security credentials presented by a user for authentication. To this end, secure certificates can be stored and then be made available to theclient device 203 that has been authenticated in order to encrypt the secure communications channel and/or for other functions. - Within the context of an enterprise, compliance rules include one or more rules that, when violated, can cause the
device management service 204 to issue a management command. Compliance rules can include a list of unauthorized hardware functions, software functions, or applications that potentially pose a threat to enterprise data or to the use of enterprise applications. As noted above, ifclient device 203 falls out of compliance with one or more compliance rules, a management command can be transmitted to theclient device 203 instructing theclient device 203 to perform one or more actions specified by the compliance rule. Alternatively, a compliance rule can also reside on theclient device 203, which can self-enforce compliance rules. Themanagement data store 213 can also include user account data. User account data can include information with which a user account can be authenticated, such as user credentials. User account data can also include data such as email, contact, calendar data, documents, files or other data that is associated with a user account. - Device data can represent data stored in the
management data store 213 that is associated withclient devices 203 that are enrolled with thedevice management service 204 as managed devices. Device data can include a unique device identifier associated with theclient device 203, device policies that are associated with aparticular client device 203, status information associated with aparticular client device 203, and other data that facilitates management of theclient device 203 by thedevice management service 204. Device data can also include user data that is synchronized with aparticular client device 203. A user account can be associated withmultiple client devices 203.Different client devices 203 associated with a user account can have different user account data stored thereon. For example, a user's smartphone can have a certain number of documents or email messages stored on the device, whereas the user's laptop or tablet can have varying amounts of types of user account data stored on the device. - The
identity provider 206 can provide a federated identity service on behalf of theservice providers 209. To this end, theidentity provider 206 can be in communication with anidentity data store 215 that stores information associated with user identities. This information can include, for example, usernames, security credentials, biometric identity information, authorized client applications, unauthorized client applications, authorizedclient devices 203,unauthorized client devices 203, and so on. As will be described, users are able to authenticate by way of theidentity provider 206 in order to access services provided by themultiple service providers 209. Theidentity provider 206 can include a plurality ofplatform adapters 216 to facilitate platform-specific authentication on different client platforms, such as IOS, ANDROID, WINDOWS, and so on. - The
KDC 207 can authenticate aclient device 203 according to a version of the Kerberos protocol. TheKDC 207 can be configured to issue a ticket-granting ticket, which is time-stamped, and encrypt it using the credentials supplied by theclient device 203. TheKDC 207 can also issue service tickets toclient devices 203 in response to receiving a previously issued ticket-granting ticket. - The
certificate authority 208 generates and issues digital certificates to computing devices, such asclient devices 203. Thecertificate authority 208 can also track which computing device (e.g., client device 203) a particular certificate has been issued to. Thecertificate authority 208 can also revoke a certificate by marking it as invalid and publishing a certificate revocation list to notify other services or computing devices that a previously issued certificate is no longer valid. Digital certificates issued by thecertificate authority 208 can be used to certify ownership of public or private cryptographic keys in order to facilitate authentication of the identity of aclient device 203 or its user, facilitate authentication of a server or service application (e.g., a service provider 209), and to establish encrypted communications between two or more computing devices. - The
service providers 209 provide corresponding services for client applications. The services can include, for example, social networking services, email services, voice communication services, enterprise information management services, productivity services, game services, and so on. In some examples, one or more of theservice providers 209 can authenticate users separately from theidentity provider 206, thereby giving users the option to log in either with theidentity provider 206 or with theservice provider 209 directly. - The
service providers 209 and theidentity provider 206 can communicate with theclient device 203 over thenetwork 212 by way of hypertext transfer protocol (HTTP), simple object access protocol (SOAP), representational state transfer (REST), and/or other protocols. - The
OCSP service 210 can provide the revocation status of a certificate issued by thecertificate authority 208 in response to a request that complies with a version of the online certificate status protocol (OCSP). Accordingly, theOCSP service 210 may periodically retrieve a certificate revocation list (CRL) from thecertificate authority 208 in order to track which certificates issued by thecertificate authority 208 are currently valid. TheOCSP service 210 can then compare the identifier of a certificate included in an OCSP request with the CRL retrieved from thecertificate authority 208 to determine the current status of the certificate identified in the OCSP request and provided an appropriate response. - The
client device 203 can represent a processor-based system, such as a computer system, that can be embodied in the form of a desktop computer, a laptop computer, a personal digital assistant, a cellular telephone, a smartphone, a set-top box, a music player, a web pad, a tablet computer system, a game console, an electronic book reader, or any other device with like capability. Theclient device 203 can include adisplay 218 that includes, for example, one or more devices such as liquid crystal display (LCD) displays or other types of display devices. Theclient device 203 can also be equipped with networking capability or networking interfaces, including a localized networking or communication capability such as an NFC capability, RFID read and/or write capability, a microphone and/or speaker, or other localized communication capability. - The
client device 203 can execute various applications, such as anoperating system 219, amanagement application 221, a plurality ofclient applications 224 a . . . 224N, and other applications, services, or processes. Theoperating system 219 can provide access to hardware or software resources of theclient device 203 to themanagement application 221 or one ormore client applications 224 a . . . 224N. Theoperating system 219 can also provide various functions to themanagement application 221 orclient applications 224 a . . . 224N. Examples ofoperating systems 219 include various versions of APPLE IOS, GOOGLE ANDROID, and MICROSOFT WINDOWS. - The
management application 221 can receive security credentials from a user and to authenticate with thedevice management service 204. Upon authentication with thedevice management service 204, themanagement application 221 is able to obtain management credentials 225, which in turn allow theclient applications 224 to request identity assertions from theidentity provider 206 in order to authenticate theclient applications 224 with therespective service providers 209 as will be described. Although described as an application, it is understood that themanagement application 221 can be an integral component of theoperating system 219 of theclient device 203. Also, in some scenarios, the management credentials 225 can be provisioned directly to the operating system for allclient applications 224 to use. This can be performed under iOS using either a certificate profile that is installed in a managed certificate keychain or a combination of a certificate and a Kerberos profile together. Rather than being stored in themanagement application 221, the management credentials 225 can be stored in the operating system itself in these scenarios.Various access rules 226 can restrict whichclient applications 224 are permitted to use the management credentials 225 for authenticating withidentity providers 206. In various implementations, the access rules 226 can be maintained and enforced by theidentity provider 206. - An identity assertion in security assertion markup language (SAML), for example, contains a packet of security information that
service providers 209 use to make access control decisions. SAML supports three types of statements: authentication statements, attribute statements, and authorization decision statements. Authentication statements assert to theservice provider 209 that theclient device 203 authenticated with theidentity provider 206 at a particular time using a particular method of authentication. An attribute statement asserts that aclient device 203 is associated with certain attributes. An authorization decision statement asserts that aclient application 224 is permitted to perform a certain action relative to a resource offered by theservice provider 209. Extensible access control markup language (XACML) and/or other languages can be employed. - The
client applications 224 correspond to a variety of applications that are employed to access services provided by theservice providers 209. Theclient applications 224 can include a web view component, whereby theclient applications 224 interact with theservice providers 209 to obtain network content by way of hypertext transfer protocol (HTTP) requests and responses. However, unlike a browser that is used to access various web-based applications, cookies set through oneclient application 224 cannot be accessed by anotherclient application 224. Theclient applications 224 and themanagement application 221 can individually render a respective user interface 227 upon thedisplay 218. - Turning now to
FIG. 3 , shown is a sequence diagram 300 illustrating one example of interaction between theclient application 224, themanagement application 221, thedevice management service 204, theservice provider 209, and theidentity provider 206. Functionality attributed to theclient application 224, themanagement application 221, thedevice management service 204, theservice provider 209, and theidentity provider 206 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 303, theclient application 224 sends an access request to theservice provider 209. Atstep 306, theservice provider 209 sends a redirection back to theclient application 224 that causesclient application 224 to redirect the access request to theidentity provider 206. Atstep 309, theclient application 224 sends an identity assertion request to theidentity provider 206. Atstep 312, theidentity provider 206 detects the type ofclient application 224 and the platform and responds by requesting authentication by way of a management credential 225 for the specific platform. This can correspond to a certificate challenge or a Kerberos challenge. Atstep 315, theclient application 224 requests the management credential 225 from themanagement application 221. - At
step 318, themanagement application 221 obtains one or more security credentials from the user by way of a user interface 227. This step can occur upon initial launch of themanagement application 221, with the credentials being stored in various scenarios locally by themanagement application 221 or on a cloud server, such asidentity data store 215, to provide a single sign-on experience for future accesses. Atstep 321, themanagement application 221 sends an authentication request to thedevice management service 204. The authentication request can specify the security credentials obtained from the user. Atstep 324, thedevice management service 204 sends the management credential 225 to themanagement application 221. Atstep 327, themanagement application 221 returns the management credential 225 to theclient application 224. - At
step 330, theclient application 224 uses the management credential 225 to authenticate with theidentity provider 206. Theidentity provider 206 returns the identity assertion to theclient application 224 atstep 333. Atstep 336, theclient application 224 provides the identity assertion to theservice provider 209. Atstep 339, theservice provider 209 verifies the identity assertion. Theservice provider 209 generates a session token, such as an OAuth token, and returns the session token atstep 342. - Single sign-on is thereby implemented for
subsequent client applications 224 or for theclient application 224 seeking to authenticate with anotherservice provider 209. Thus, the process can repeat again for theclient applications 224 a . . . 224N. However, once the user is authenticated with themanagement application 221 for the purpose of authenticatingclient application 224 a, the user need not enter security credentials again for authenticating client application 224 b, unless perhaps due to inactivity or other events that could cause the identity of the user to be in question.Steps client application 224 a, but these steps can subsequently be omitted for access to the client application 224 b since themanagement application 221 will have already obtained the management credential 225. Alternatively, the credentials can be stored by themanagement application 221 and automatically entered atstep 318 without user input. During the single sign-on process, the user interface can remain stable to avoid “flipping” back and forth, making the process seamless to a user. - Moving on to
FIG. 4 , shown is a flowchart that provides one example of the operation of anidentity provider 206. As an alternative, the flowchart ofFIG. 4 can be viewed as depicting an example of elements of a method implemented in a computing device. Functionality attributed to theidentity provider 206 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 403, theidentity provider 206 receives an identity assertion request from aclient application 224. Theclient application 224 has been redirected to theidentity provider 206 by aservice provider 209. The redirection can be performed, for example, by way of a hypertext transfer protocol (HTTP) redirection response having status code 302. Atstep 406, theidentity provider 206 in some scenarios can determine that theclient application 224 corresponds to a mobile application web view instead of a browser. For example, theclient application 224 can send a user-agent string to theidentity provider 206 within an HTTP request. The user-agent string can identify whether the request originates from a specific browser or from a web view of a native application. With a browser, an alternative form of single sign-on for identity federation can be used, as cookies set by theidentity provider 206 can be accessed bydifferent service providers 209. However, with mobile applications using webviews, the cookies cannot be shared among different applications without the use of specialized software development kits (SDKs). In some cases, theidentity provider 206 can be configured to deny access if theclient application 224 is a browser or an unmanaged application. - At
step 407, theidentity provider 206 determines a platform of theclient device 203. Theidentity provider 206 can determine the platform also by examining the user-agent string of the HTTP request. For example, theidentity provider 206 can determine that theclient device 203 corresponds to IOS, ANDROID, WINDOWS, BLACKBERRY, or other platforms based at least in part on corresponding identifiers contained in the user-agent string. - At
step 408, theidentity provider 206 requests authentication by management credential 225 based at least in part on the detected platform of theclient device 203. Specifically, theidentity provider 206 can request authentication using a platform-specific management credential 225 after querying a table of platforms based at least in part on information provided by theclient device 203. Different types of security credentials and certificates can be used depending on the platform of theclient device 203. For example, the management credential 225 can include a secure certificate, a Kerberos profile, or other credentials. Accordingly, to allow single sign-on from differing platforms, theplatform adapter 216 can request the type of management credential 225 that is appropriate for theclient device 203 that is requesting access. For example, when the platform is IOS, aplatform adapter 216 corresponding to an IOS-specific certificate adapter or Kerberos adapter can be used, such as an esso profile. When the platform is ANDROID, aplatform adapter 216 corresponding to a certificate adapter can be used. As additional examples, the OSX operating system can use a keychain, and WINDOWS 10 can use account provider credentials. The request for authentication can be performed by returning an HTTP response having status code 401, indicating that authorization is required. Further, the HTTP response can specifically request authentication by a particular protocol, such as the Kerberos protocol, through the use of a management credential 225. - At
step 410, theidentity provider 206 determines whether theclient device 203 corresponds to a managed device. If theclient device 203 is a managed device, the authentication ofstep 408 would complete properly. If the authentication ofstep 408 fails, theclient device 203 can be presumed to be unmanaged. If theclient device 203 does not correspond to a managed device, theidentity provider 206 continues to step 411. If theclient device 203 does correspond to a managed device, theidentity provider 206 moves to step 412. - At
step 415, theidentity provider 206 receives data associated with or generated by the management credential 225. Atstep 418, theidentity provider 206 determines that the presented management credential 225 is valid for the requested identity assertion. Theidentity provider 206 can verify whether the management credential 225 is permitted to be used to authenticatespecific client applications 224 or forspecific service providers 209. Atstep 421, if the management credential 225 is determined to be valid, the identity assertion is generated and sent to theclient application 224. The identity assertion can include security assertion markup language (SAML), extensible access control markup language (XACML), or other data. Thereafter, the process proceeds to completion. - If, instead, the
client device 203 is not a managed device, atstep 411, theidentity provider 206 determines whether theclient application 224 is permitted to execute on an unmanaged device according to a policy. If theclient application 224 is not permitted to execute on an unmanaged device, theidentity provider 206 moves fromstep 411 to step 424 and blocks the authentication of theclient application 224 and an unauthorized message may be returned. Thereafter, the process proceeds to completion. - If the
client application 224 is permitted to execute on an unmanaged device, theidentity provider 206 moves fromstep 411 to step 427, and theidentity provider 206 requests authentication by user-supplied credentials, such as a username and password, biometric credentials, multi-factor credentials, and so on. Atstep 430, theidentity provider 206 receives and validates the user-supplied credentials from theclient application 224. The identity provider then moves to step 421, where the identity assertion is generated and sent to theclient application 224. The identity assertion can include security assertion markup language (SAML), extensible access control markup language (XACML), or other data. Thereafter, the process proceeds to completion. - Continuing on to
FIG. 5 , shown is a flowchart that provides one example of the operation of adevice management service 204. Functionality attributed to thedevice management service 204 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 501, thedevice management service 204 receives an enrollment request from aclient device 203. For example, a user can navigate to a certain uniform resource locator (URL) in a browser, themanagement application 221 can be installed on theclient device 203, and a user can accept the terms of the enrollment. Then, a platform-specific management certificate can be sent to themanagement application 221. The platform-specific management certificate can be received within a profile which theclient device 203 installs in a profile store as the management profile. - In
step 503, thedevice management service 204 receives an authentication request from themanagement application 221 of theclient device 203. The request can specify one or more security credentials, such as usernames, passwords, biometric identification, one-time passwords, and so on. Atstep 506, thedevice management service 204 determines that the security credentials that have been presented are valid. If the security credentials are not valid, an error can be generated. - At
step 509, thedevice management service 204 sends one or more management credentials 225 to theclient device 203. The management credentials 225 can be generated by a certificate authority corresponding to thedevice management service 204. The management credentials 225 can be employed to create a secure communications channel between thedevice management service 204 and themanagement application 221 for device management purposes. Thereafter, the process proceeds to completion. - With reference to
FIG. 6 , shown is a flowchart that provides one example of the operation of amanagement application 221. Functionality attributed to themanagement application 221 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 603, themanagement application 221 receives a single sign-on request from aclient application 224. For example, theclient application 224 can be prompted to use a management credential 225 in order to authenticate with anidentity provider 206. Atstep 606, themanagement application 221 determines whether the user is already authenticated. If the user is not already authenticated, themanagement application 221 moves to step 609 and renders a user interface 227 on thedisplay 218 that requests one or more security credentials from the user. Atstep 612, themanagement application 221 receives the security credentials through the user interface 227. Themanagement application 221 continues to step 615. If the user is already authenticated by themanagement application 221, themanagement application 221 moves directly fromstep 606 to step 615. - At
step 615, themanagement application 221 determines whether theclient application 224 is authorized to receive the management credential 225. Themanagement application 221 can make this determination with respect to the access rules 226 or by way of communication with thedevice management service 204. Examples ofaccess rules 216 include detecting whether a device is jailbroken, uses a password of a given length or complexity, is used within a certain geographic area, has certain applications installed, has certain hardware devices (e.g., a fingerprint reader), and/or other meets other criteria relevant to the organization for whom theclient device 203 is managed. If theclient application 224 is not authorized, themanagement application 221 moves to step 618 and rejects the request. Thereafter, the process proceeds to completion. - If the
client application 224 is authorized, themanagement application 221 moves to step 621 and determines whether the management credential 225 has been cached in theclient device 203. If the management credential 225 has been cached, themanagement application 221 loads the management credential 225 from the cache atstep 624. Atstep 625, themanagement application 221 provides the management credential 225 to theclient application 224. Thereafter, the process proceeds to completion. - If the management credential 225 has not been cached, the
management application 221 moves fromstep 621 to step 627 and authenticates with thedevice management service 204. To this end, themanagement application 221 can authenticate using the user-supplied credentials or a session or registration token. Atstep 630, themanagement application 221 sends a request for the management credential 225 to thedevice management service 204. Atstep 633, themanagement application 221 receives the management credential 225 from thedevice management service 204. Atstep 625, themanagement application 221 provides the management credential 225 to theclient application 224. Thereafter, the process proceeds to completion. - Turning now to
FIG. 7 , shown is a flowchart that provides one example of the operation of aclient application 224. Functionality attributed to theclient application 224 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 703, theclient application 224 sends an access request to aservice provider 209. Atstep 706, theclient application 224 receives a redirection to theidentity provider 206. The redirection can include a hypertext transfer protocol (HTTP) redirection response having status code 302. Atstep 709, theclient application 224 sends an identity assertion request to theidentity provider 206. Atstep 712, theclient application 224 receives a response requesting authentication by a management credential 225. - At
step 715, theclient application 224 obtains the management credential 225 from themanagement application 221. To this end, theclient application 224 can send a request by a local uniform resource locator (URL) to themanagement application 221 and can also receive a response from themanagement application 221 by a local URL. The local URL used to invoke themanagement application 221 can include callback information such as a scheme name corresponding to theclient application 224 so that themanagement application 221 can identify theclient application 224 and return the requested management credential 225. - At
step 718, theclient application 224 sends data associated with or generated by the management credential 225 to theidentity provider 206. Atstep 721, theclient application 224 receives an identity assertion from theidentity provider 206. The identity assertion can correspond to a security assertion markup language (SAML) assertion or another assertion. Atstep 724, theclient application 224 authenticates with theservice provider 209 using the identity assertion. Atstep 727, theclient application 224 receives a session token from theservice provider 209. For example, the session token can correspond to an OAuth token. Subsequently, atstep 730, theclient application 224 can authenticate with theservice provider 209 to access resources. Thereafter, the process proceeds to completion. - Referring next to
FIG. 8 , shown is a flowchart that provides one example of the operation of aservice provider 209. As an alternative, the flowchart ofFIG. 8 can be viewed as depicting an example of elements of a method implemented in a computing device. Functionality attributed to theservice provider 209 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 803, theservice provider 209 receives an access request from aclient application 224. Theservice provider 209 then correlates this access request to the use of theidentity provider 206 for authentication. Atstep 806, theservice provider 209 sends a redirection response to theclient application 224. This can include a hypertext transfer protocol (HTTP) redirection response with status code 302. The redirection response can redirect theclient application 224 to theidentity provider 206. The redirection response can include security assertion markup language (SAML) that requests an identity assertion. - At
step 809, theservice provider 209 receives the identity assertion from theclient application 224. Atstep 812, theservice provider 209 verifies the identity assertion. For example, the identity assertion can include an authentication token generated by theidentity provider 206, and theservice provider 209 can confirm that the authentication token is authentic. - At
step 815, theservice provider 209 generates a session token. Atstep 818, theservice provider 209 sets a session cookie including the session token with theclient application 224. Atstep 821, theservice provider 209 provides service access to theclient application 224 based at least in part on theclient application 224 presenting the session token, by way of a uniform resource locator (URL) or session cookie. Thereafter, the process can proceed to completion. - Turning to
FIG. 9 , shown is a sequence diagram 900 illustrating one example of interaction between theclient application 224, theoperating system 219, thecertificate authority 208, theidentity provider 206, theplatform adaptor 216, theKDC 207, theOCSP service 210, and theservice provider 209. Functionality attributed to theclient application 224, theoperating system 219, thecertificate authority 208, theidentity provider 206, theplatform adaptor 216, theKDC 207, theOCSP service 210, and theservice provider 209 can be implemented in a single process or application or in multiple processes or applications. The separation or segmentation of functionality as discussed herein is presented for illustrative purposes only. - Beginning with
step 903, themanagement application 221 can enroll theclient device 203 with thecertificate authority 208. Enrollment of theclient device 203 with thecertificate authority 208 can occur as part of the process for enrolling theclient device 203 with thedevice management service 204. As part of the enrollment process, theclient device 203 can provide thecertificate authority 208 with a device identifier, which allows thecertificate authority 208 to track which certificates have been issued to theclient device 203. - Proceeding to step 906, the
certificate authority 208 can provision a certificate for theclient device 203 and can specify aKDC 207 to be used by theclient device 203. To provision the certificate, thecertificate authority 208 can generate the certificate to be used by theclient device 203, cryptographically sign the certificate to verify its authenticity, and send the newly generated and signed certificate to theclient device 203 for future use. Themanagement application 221 can store the provisioned certificate along with any other management credentials 225 stored on theclient device 203. Thecertificate authority 208 can also send the identity (e.g. URL or IP address) of theKDC 207 to theclient device 203 to be used for future Kerberos authentication using the provisioned certificate. - Moving on to step 909, the
client application 224 can be launched. Theclient application 224 can be launched in response to a user interaction with theclient device 203 or in response to a request or command from another application (e.g., one application initiating execution of another application). - Referring next to step 913, the
client application 224 can send a request for authentication to theservice provider 209. The authentication request may include the identity of theclient device 203, theclient application 224, and potentially other information. The authentication request can be sent using a variety of protocols. For example, the authentication request can be sent to theservice provider 209 in compliance with a version of the hypertext transfer protocol (HTTP). - Proceeding to step 916, the
service provider 209 can send a response to theclient application 224 that redirects theclient application 224 to theidentity provider 206. For example, the service provider could send an HTTP response with a redirect status code (e.g., 301, 302, 303, 307, or 308) that specifies the URL of theidentity provider 206. The response can also include a SAML Authentication Request. In these cases, the redirection can be implemented through a SAML HTTP Redirect Binding. In some instances, the SAML Authentication Request can also specify what types of authentication schemes (e.g., Kerberos) should be used to authenticate theclient device 203 orclient application 224. - Moving on to step 919, the
client application 224 can send an authentication request to theidentity provider 206. For example, theclient application 224 could send the SAML Authentication Request it had previously received atstep 916 to theidentity provider 206 specified by the SAML HTTP Redirect Binding. - Referring next to step 923, the
identity provider 206 can attempt to authenticate theclient application 224 with theplatform adapter 216. For example, theidentity provider 206 can supply the information included in the SAML Authentication Request or otherwise supplied by theclient application 224 to theplatform adapter 216. Ifmultiple platform adapters 216 are available, then theidentity provider 206 may select either adefault platform adapter 216 or a platform adapter specified in the SAML Authentication Request (e.g., aplatform adapter 216 that provides Kerberos authentication). Theidentity provider 206 can then wait for theplatform adapter 216 to respond to the authentication attempt of theidentity provider 206. - Proceeding to step 926, the
platform adapter 216 can determine that the initial authentication request contains insufficient information to perform Kerberos authentication. Theplatform adapter 216 therefore can send a Kerberos challenge to theclient application 224. In some implementations, the initial authentication request will be expected to fail because a Kerberos authentication has not yet been performed. - Moving on to step 929, the operating system 219 (e.g., iOS) can intercept the Kerberos challenge. The
operating system 219 can then send the certificate previously provisioned instep 906 to theKDC 207 previously configured instep 906 in order to obtain a service ticket to present to theplatform adapter 216 in response to the Kerberos challenge. - Referring next to step 933, the
KDC 207 can determine whether the certificate provided by theoperating system 219 has been revoked. For example, theKDC 207 can send the certificate's fingerprint or other identifying information about the certificate to anOCSP service 210 to verify that the certificate is still valid. However, in alternative implementations, theKDC 207 could request a certificate revocation list from thecertificate authority 208 and determine whether the certificate is included in the certificate revocation list. - Proceeding to step 936, the
OCSP service 210 can determine the revocation status of the certificate. For example, theOCSP service 210 could compare the certificate's unique identifier to a list of identifiers of revoked certificates previously issued by thecertificate authority 208. As another example, theOCSP service 210 could compare the certificate's unique identifier to a list of identifiers of certificates issued by thecertificate authority 208 that are known to still be valid. If the certificate is still valid, theOCSP service 210 can send a response to theKDC 207 indicating that the certificate is still valid. - Moving on to step 939, the
KDC 207 can provide a ticket-granting ticket to theoperating system 219 based on the validation of the certificate by theOCSP service 210. Referring next to step 943, theoperating system 219 can send a request for a service ticket to theKDC 207. The service ticket may be associated with one ormore service providers 209, allowing aclient device 203 that has the service ticket to access each of the associatedservice providers 209 for as long as the service ticket remains valid. - Proceeding to step 946, the
KDC 207 can generate a service ticket and can provide it to theoperating system 219. To generate the service ticket, theKDC 207 first determines that the ticket-granting ticket received from theoperating system 219 is valid (e.g., has not expired or was previously issued by theKDC 207 or another trusted KDC 207). TheKDC 207 can also check any access permissions associated with the ticket-granting ticket (e.g., whether the ticket-granting ticket authorized to receive a service ticket for access to a particular service provider 209). Assuming that the ticket-granting ticket is valid and the access permissions associated with ticket-granting ticket permit theclient device 203 to access theservice provider 209, theKDC 207 generates the service ticket and sends it to theoperating system 219. Moving on to step 949, theoperating system 219 provides the service ticket to theplatform adapter 216. - Referring next to step 953, the
platform adapter 216 receives and validates the service ticket. For example, theplatform adapter 216 can verify the validity of the service ticket (e.g., issued byauthorized KDC 207, has not expired, or similar checks) and whether the service ticket permits access to therequest service provider 209. If the service ticket is valid and can be used to access theservice provider 209, theplatform adapter 216 then responds (e.g. using a function callback) to the login request submitted by theidentity provider 206 indicating that theclient application 224 is authenticated and authorized to access theservice provider 209. - Proceeding to step 956, the
identity provider 206 sends a SAML response to theclient application 224 granting access to theservice provider 209. The SAML response may include information that was included in the service ticket, such as a username or similar identifier, as well as an assertion that theclient application 224 is authorized to access theservice provider 209. - Moving on to step 959, the
client application 224 sends the SAML response received from theidentity provider 206 to the service provider indicating that the login was successful. Theservice provider 209 can validate or verify the information in the SAML response and then grant theclient application 224 access to theservice provider 209. Referring next to step 963, theservice provider 209 begins to send application data to theclient application 224 in response to requests from theclient application 224. - The flowcharts of
FIGS. 4-8 and the sequence diagrams ofFIG. 3 andFIG. 9 show examples of the functionality and operation of implementations of components described herein. The components described herein can be embodied in hardware, software, or a combination of hardware and software. If embodied in software, each element can represent a module of code or a portion of code that includes program instructions to implement the specified logical function(s). The program instructions can be embodied in the form of, for example, source code that includes human-readable statements written in a programming language or machine code that includes machine instructions recognizable by a suitable execution system, such as a processor in a computer system or other system. If embodied in hardware, each element can represent a circuit or a number of interconnected circuits that implement the specified logical function(s). - Although the flowcharts and sequence diagram show a specific order of execution, it is understood that the order of execution can differ from that which is shown. For example, the order of execution of two or more elements can be switched relative to the order shown. Also, two or more elements shown in succession can be executed concurrently or with partial concurrence. Further, in some examples, one or more of the elements shown in the flowcharts can be skipped or omitted.
- The
client device 203, thedevice management service 204, theidentity provider 206, theservice providers 209, or other components described herein can include at least one processing circuit. Such a processing circuit can include, for example, one or more processors and one or more storage devices that are coupled to a local interface. The local interface can include, for example, a data bus with an accompanying address/control bus or any other suitable bus structure. - The one or more storage devices for a processing circuit can store data or components that are executable by the one or more processors of the processing circuit. For example, the
device management service 204, theidentity provider 206, theservice providers 209, themanagement application 221, theclient applications 224, and/or other components can be stored in one or more storage devices and be executable by one or more processors. Also, a data store, such as theidentity data store 215 or themanagement data store 213 can be stored in the one or more storage devices. - The
identity provider 206, thedevice management service 204, theservice providers 209, themanagement application 221, theclient applications 224, and/or other components described herein can be embodied in the form of hardware, as software components that are executable by hardware, or as a combination of software and hardware. If embodied as hardware, the components described herein can be implemented as a circuit or state machine that employs any suitable hardware technology. The hardware technology can include, for example, one or more microprocessors, discrete logic circuits having logic gates for implementing various logic functions upon an application of one or more data signals, application specific integrated circuits (ASICs) having appropriate logic gates, programmable logic devices (e.g., field-programmable gate array (FPGAs), and complex programmable logic devices (CPLDs)). - Also, one or more or more of the components described herein that include software or program instructions can be embodied in any non-transitory computer-readable medium for use by or in connection with an instruction execution system such as, a processor in a computer system or other system. The computer-readable medium can contain, store, and/or maintain the software or program instructions for use by or in connection with the instruction execution system.
- A computer-readable medium can include a physical media, such as, magnetic, optical, semiconductor, and/or other suitable media. Examples of a suitable computer-readable media include, but are not limited to, solid-state drives, magnetic drives, or flash memory. Further, any logic or component described herein can be implemented and structured in a variety of ways. For example, one or more components described can be implemented as modules or components of a single application. Further, one or more components described herein can be executed in one computing device or by using multiple computing devices.
- It is emphasized that the above-described examples of the present disclosure are merely examples of implementations to set forth for a clear understanding of the principles of the disclosure. Many variations and modifications can be made to the above-described examples without departing substantially from the spirit and principles of the disclosure. All such modifications and variations are intended to be included herein within the scope of this disclosure.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/428,467 US10944738B2 (en) | 2015-06-15 | 2017-02-09 | Single sign-on for managed mobile devices using kerberos |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/739,975 US10812464B2 (en) | 2015-06-15 | 2015-06-15 | Single sign-on for managed mobile devices |
US15/428,467 US10944738B2 (en) | 2015-06-15 | 2017-02-09 | Single sign-on for managed mobile devices using kerberos |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/739,975 Continuation-In-Part US10812464B2 (en) | 2015-06-15 | 2015-06-15 | Single sign-on for managed mobile devices |
Publications (2)
Publication Number | Publication Date |
---|---|
US20170155640A1 true US20170155640A1 (en) | 2017-06-01 |
US10944738B2 US10944738B2 (en) | 2021-03-09 |
Family
ID=58777521
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/428,467 Active 2036-03-20 US10944738B2 (en) | 2015-06-15 | 2017-02-09 | Single sign-on for managed mobile devices using kerberos |
Country Status (1)
Country | Link |
---|---|
US (1) | US10944738B2 (en) |
Cited By (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10277572B2 (en) * | 2016-04-12 | 2019-04-30 | Blackberry Limited | Provisioning enterprise services provided by an infrastructure service server |
US20190141125A1 (en) * | 2017-11-03 | 2019-05-09 | Bank Of America Corporation | Cross application access provisioning system |
CN109829276A (en) * | 2018-12-17 | 2019-05-31 | 航天信息股份有限公司 | A kind of electronic invoice Explore of Unified Management Ideas and system based on FIDO agreement authentication |
US10951606B1 (en) * | 2019-12-04 | 2021-03-16 | Acceptto Corporation | Continuous authentication through orchestration and risk calculation post-authorization system and method |
US20210092111A1 (en) * | 2017-09-27 | 2021-03-25 | Amazon Technologies, Inc. | Network traffic distribution using certificate scanning in agent-based architecture |
US20210260474A1 (en) * | 2019-09-04 | 2021-08-26 | Take-Two Interactive Software, Inc. | System and method for managing transactions in a multiplayer network gaming environment |
US11159511B1 (en) | 2019-01-10 | 2021-10-26 | Microstrategy Incorporated | Authentication protocol management |
US11252573B1 (en) | 2019-08-04 | 2022-02-15 | Acceptto Corporation | System and method for rapid check-in and inheriting trust using a mobile device |
US11329998B1 (en) | 2020-08-31 | 2022-05-10 | Secureauth Corporation | Identification (ID) proofing and risk engine integration system and method |
US11367323B1 (en) | 2018-01-16 | 2022-06-21 | Secureauth Corporation | System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score |
US20220210646A1 (en) * | 2020-12-29 | 2022-06-30 | T-Mobile Usa, Inc. | Forcing re-authentication of users for accessing online services |
US20220247578A1 (en) * | 2021-01-29 | 2022-08-04 | Okta, Inc. | Attestation of device management within authentication flow |
US20230239285A1 (en) * | 2022-01-21 | 2023-07-27 | Vmware, Inc. | Secure inter-application communication with unmanaged applications using certificate enrollment |
US20230362643A1 (en) * | 2022-05-06 | 2023-11-09 | Verizon Patent And Licensing Inc. | Systems and methods for seamless cross-application authentication |
US12035136B1 (en) | 2020-08-01 | 2024-07-09 | Secureauth Corporation | Bio-behavior system and method |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP4437688A1 (en) * | 2021-11-24 | 2024-10-02 | Island Technology, Inc. | Enforcement of enterprise browser use |
Citations (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5781909A (en) * | 1996-02-13 | 1998-07-14 | Microtouch Systems, Inc. | Supervised satellite kiosk management system with combined local and remote data storage |
US5864665A (en) * | 1996-08-20 | 1999-01-26 | International Business Machines Corporation | Auditing login activity in a distributed computing environment |
US20020078153A1 (en) * | 2000-11-02 | 2002-06-20 | Chit Chung | Providing secure, instantaneous, directory-integrated, multiparty, communications services |
US20020133725A1 (en) * | 2001-03-14 | 2002-09-19 | Roy Ronald B. | Biometric access control and time and attendance network including configurable system-on-chip (CSOC) processors with embedded programmable logic |
US20050074126A1 (en) * | 2002-01-29 | 2005-04-07 | Stanko Joseph A. | Single sign-on over the internet using public-key cryptography |
US20060206707A1 (en) * | 2005-03-11 | 2006-09-14 | Microsoft Corporation | Format-agnostic system and method for issuing certificates |
US20070028095A1 (en) * | 2005-07-28 | 2007-02-01 | Allen David L | Security certificate management |
US20080072303A1 (en) * | 2006-09-14 | 2008-03-20 | Schlumberger Technology Corporation | Method and system for one time password based authentication and integrated remote access |
US20080134049A1 (en) * | 2006-11-22 | 2008-06-05 | Binita Gupta | Apparatus and methods of linking to an application on a wireless device |
US20080263653A1 (en) * | 2007-04-17 | 2008-10-23 | International Business Machines Corporation | Apparatus, system, and method for establishing a reusable and reconfigurable model for fast and persistent connections in database drivers |
US20100082491A1 (en) * | 2008-09-30 | 2010-04-01 | Apple Inc. | System and method for providing electronic event tickets |
US20100235918A1 (en) * | 2009-03-13 | 2010-09-16 | Rami Mizrahi | Method and Apparatus for Phishing and Leeching Vulnerability Detection |
US20100318636A1 (en) * | 2008-01-31 | 2010-12-16 | Bizmobile Inc. | System and method for providing mobile service |
US20110126002A1 (en) * | 2009-11-24 | 2011-05-26 | Christina Fu | Token renewal |
US8145909B1 (en) * | 2007-05-16 | 2012-03-27 | Adobe Systems Incorporated | Digitally signing an electronic document using seed data |
US20120245990A1 (en) * | 2011-03-26 | 2012-09-27 | Shwetav Agarwal | Systems and methods for facilitating customer acquisition by businesses |
US20120290336A1 (en) * | 2011-05-09 | 2012-11-15 | Apple Inc. | System and method for providing event-related incentives |
US20130049928A1 (en) * | 2011-08-29 | 2013-02-28 | International Business Machines Corporation | Just in time visitor authentication and visitor access media issuance for a physical site |
US20130117831A1 (en) * | 2010-04-30 | 2013-05-09 | Lock Box Pty Ltd | Method and system for enabling computer access |
US20130124756A1 (en) * | 2011-11-14 | 2013-05-16 | Microsoft Corporation | Unauthenticated redirection requests with protection |
US8510818B2 (en) * | 2002-10-31 | 2013-08-13 | Microsoft Corporation | Selective cross-realm authentication |
US20130276080A1 (en) * | 2012-04-11 | 2013-10-17 | Vodafone Holding Gmbh | Method of authenticating a user at a service on a service server, application and system |
US20130290226A1 (en) * | 2012-04-05 | 2013-10-31 | Maynard Dokken | System and method for social graph and graph assets valuation and monetization |
US20140007198A1 (en) * | 2012-06-29 | 2014-01-02 | Cable Television Laboratories, Inc. | Application authorization for video services |
US8635373B1 (en) * | 2012-09-22 | 2014-01-21 | Nest Labs, Inc. | Subscription-Notification mechanisms for synchronization of distributed states |
US20140052548A1 (en) * | 2012-07-18 | 2014-02-20 | Maynard L. Dokken, JR. | System and method for automated advocate marketing with digital rights registration |
US20140082715A1 (en) * | 2012-09-19 | 2014-03-20 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US8745718B1 (en) * | 2012-08-20 | 2014-06-03 | Jericho Systems Corporation | Delivery of authentication information to a RESTful service using token validation scheme |
US20140156732A1 (en) * | 2012-12-04 | 2014-06-05 | International Business Machines Corporation | Splitting of Processing Logics Associated with Commands of Pages in a Distributed Application |
US8762947B2 (en) * | 2010-04-01 | 2014-06-24 | Salesforce.Com, Inc. | System, method and computer program product for debugging an assertion |
US20140279622A1 (en) * | 2013-03-08 | 2014-09-18 | Sudhakar Bharadwaj | System and method for semantic processing of personalized social data and generating probability models of personal context to generate recommendations in searching applications |
US8850546B1 (en) * | 2012-09-30 | 2014-09-30 | Emc Corporation | Privacy-preserving user attribute release and session management |
US20140310792A1 (en) * | 2013-04-12 | 2014-10-16 | Globoforce Limited | System and Method for Mobile Single Sign-On Integration |
US20140376403A1 (en) * | 2013-06-19 | 2014-12-25 | Facebook, Inc. | Detecting Carriers for Mobile Devices |
US20150046997A1 (en) * | 2013-05-14 | 2015-02-12 | Citrix Systems, Inc. | Accessing Enterprise Resources While Providing Denial-of-Service Attack Protection |
US20150052584A1 (en) * | 2013-08-13 | 2015-02-19 | News UK & Ireland Limited | Access Control System |
US8984149B1 (en) * | 2014-03-06 | 2015-03-17 | Iboss, Inc. | Applying policies to subnets |
US20150188999A1 (en) * | 2013-12-28 | 2015-07-02 | Johnson Manuel-Devadoss | System and method to extend the capabilities of a web browser to improve the web application performance |
US20150317466A1 (en) * | 2014-05-02 | 2015-11-05 | Verificient Technologies, Inc. | Certificate verification system and methods of performing the same |
US20160065565A1 (en) * | 2014-09-01 | 2016-03-03 | Aorato Ltd | System, Method and Process for Detecting Advanced and Targeted Attacks with the Recoupling of Kerberos Authentication and Authorization |
US20160077901A1 (en) * | 2014-09-17 | 2016-03-17 | StrongLoop, Inc | Dynamic Determination of Local and Remote API Calls |
US20160162910A1 (en) * | 2014-12-09 | 2016-06-09 | Verizon Patent And Licensing Inc. | Capture of retail store data and aggregated metrics |
US20160219060A1 (en) * | 2015-01-26 | 2016-07-28 | Mobile Iron, Inc. | Identity proxy to provide access control and single sign on |
US20160269898A1 (en) * | 2015-03-09 | 2016-09-15 | Neustar, Inc. | System and method for secure device authentication |
US20160323280A1 (en) * | 2015-04-29 | 2016-11-03 | Cyber-Ark Software Ltd. | Privileged access to target services |
US20170034168A1 (en) * | 2014-09-16 | 2017-02-02 | Nok Nok Labs, Inc. | System and method for integrating an authentication service within a network architecture |
Family Cites Families (85)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5930786A (en) | 1995-10-20 | 1999-07-27 | Ncr Corporation | Method and apparatus for providing shared data to a requesting client |
KR100484209B1 (en) * | 1998-09-24 | 2005-09-30 | 삼성전자주식회사 | Digital Content Encryption / Decryption Device and Method |
WO2002031748A1 (en) * | 2000-10-12 | 2002-04-18 | At & T Corp. | Common protocol for accessing value-added services |
US8020199B2 (en) | 2001-02-14 | 2011-09-13 | 5th Fleet, L.L.C. | Single sign-on system, method, and access device |
US7996888B2 (en) | 2002-01-11 | 2011-08-09 | Nokia Corporation | Virtual identity apparatus and method for using same |
US7231663B2 (en) | 2002-02-04 | 2007-06-12 | General Instrument Corporation | System and method for providing key management protocol with client verification of authorization |
US7191467B1 (en) * | 2002-03-15 | 2007-03-13 | Microsoft Corporation | Method and system of integrating third party authentication into internet browser code |
US20040128542A1 (en) * | 2002-12-31 | 2004-07-01 | International Business Machines Corporation | Method and system for native authentication protocols in a heterogeneous federated environment |
US7788711B1 (en) | 2003-10-09 | 2010-08-31 | Oracle America, Inc. | Method and system for transferring identity assertion information between trusted partner sites in a network using artifacts |
JP2005286959A (en) | 2004-03-31 | 2005-10-13 | Sony Corp | Information processing method, decoding processing method, information processor and computer program |
US8214887B2 (en) | 2005-03-20 | 2012-07-03 | Actividentity (Australia) Pty Ltd. | Method and system for providing user access to a secure application |
US8245292B2 (en) | 2005-11-16 | 2012-08-14 | Broadcom Corporation | Multi-factor authentication using a smartcard |
US7853995B2 (en) | 2005-11-18 | 2010-12-14 | Microsoft Corporation | Short-lived certificate authority service |
US20100242102A1 (en) * | 2006-06-27 | 2010-09-23 | Microsoft Corporation | Biometric credential verification framework |
US8775402B2 (en) | 2006-08-15 | 2014-07-08 | Georgia State University Research Foundation, Inc. | Trusted query network systems and methods |
US20080115198A1 (en) | 2006-10-31 | 2008-05-15 | Hsu Paul J | Multi-factor authentication transfer |
US8627409B2 (en) * | 2007-05-15 | 2014-01-07 | Oracle International Corporation | Framework for automated dissemination of security metadata for distributed trust establishment |
US8621561B2 (en) * | 2008-01-04 | 2013-12-31 | Microsoft Corporation | Selective authorization based on authentication input attributes |
US8661252B2 (en) * | 2008-06-20 | 2014-02-25 | Microsoft Corporation | Secure network address provisioning |
US8561087B2 (en) * | 2008-07-16 | 2013-10-15 | Sandisk Il Ltd. | Methods for enabling software in storage-capable devices |
US9836702B2 (en) | 2008-10-16 | 2017-12-05 | International Business Machines Corporation | Digital rights management (DRM)-enabled policy management for an identity provider in a federated environment |
US9548859B2 (en) | 2008-12-03 | 2017-01-17 | Google Technology Holdings LLC | Ticket-based implementation of content leasing |
WO2010083889A1 (en) | 2009-01-23 | 2010-07-29 | Nokia Siemens Networks Oy | Identity management scheme |
WO2010094331A1 (en) | 2009-02-19 | 2010-08-26 | Nokia Siemens Networks Oy | Authentication to an identity provider |
US20110099607A1 (en) | 2009-10-27 | 2011-04-28 | Activepath Ltd. | Method of authenticating and branding emails and other messages using information available in a message list |
JP4890605B2 (en) | 2009-12-08 | 2012-03-07 | シャープ株式会社 | MFP, MFP control system, program and recording medium |
EP2532132A1 (en) | 2010-02-05 | 2012-12-12 | Nokia Siemens Networks Oy | Improved identity management |
US8898457B2 (en) | 2010-02-26 | 2014-11-25 | Red Hat, Inc. | Automatically generating a certificate operation request |
US8566917B2 (en) * | 2010-03-19 | 2013-10-22 | Salesforce.Com, Inc. | Efficient single sign-on and identity provider configuration and deployment in a database system |
GB2495663B (en) | 2010-08-13 | 2014-08-27 | Jason Dean Hart | System and method for converging RFID building security with PKI techniques |
US8621448B2 (en) | 2010-09-23 | 2013-12-31 | Apple Inc. | Systems and methods for compiler-based vectorization of non-leaf code |
US8881247B2 (en) | 2010-09-24 | 2014-11-04 | Microsoft Corporation | Federated mobile authentication using a network operator infrastructure |
US20120144501A1 (en) | 2010-12-03 | 2012-06-07 | Salesforce.Com, Inc. | Regulating access to protected data resources using upgraded access tokens |
US9413750B2 (en) | 2011-02-11 | 2016-08-09 | Oracle International Corporation | Facilitating single sign-on (SSO) across multiple browser instance |
WO2012130782A1 (en) * | 2011-03-25 | 2012-10-04 | Gemalto Sa | User to user delegation service in a federated identity management environment |
EP2913976B1 (en) | 2011-04-28 | 2017-08-09 | Interdigital Patent Holdings, Inc. | Sso framework for multiple sso technologies |
US8839395B2 (en) | 2011-05-13 | 2014-09-16 | Cch Incorporated | Single sign-on between applications |
US8650622B2 (en) | 2011-07-01 | 2014-02-11 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and arrangements for authorizing and authentication interworking |
EP2730078A1 (en) * | 2011-07-07 | 2014-05-14 | CiscoTechnology Inc. | System and method for providing a message and an event based video services control plane |
US20130031631A1 (en) | 2011-07-25 | 2013-01-31 | Lenovo (Singapore) Pte. Ltd. | Detection of unauthorized device access or modifications |
US9495533B2 (en) | 2011-09-29 | 2016-11-15 | Oracle International Corporation | Mobile application, identity relationship management |
US8732805B2 (en) * | 2011-09-30 | 2014-05-20 | Oracle International Corporation | Re-authentication in secure web service conversations |
US9774581B2 (en) | 2012-01-20 | 2017-09-26 | Interdigital Patent Holdings, Inc. | Identity management with local functionality |
US9722972B2 (en) * | 2012-02-26 | 2017-08-01 | Oracle International Corporation | Methods and apparatuses for secure communication |
US8392712B1 (en) * | 2012-04-04 | 2013-03-05 | Aruba Networks, Inc. | System and method for provisioning a unique device credential |
EP2842296A2 (en) * | 2012-04-27 | 2015-03-04 | Interdigital Patent Holdings, Inc. | Method and apparatuses for supporting proximity discovery procedures |
US10049204B2 (en) | 2012-05-15 | 2018-08-14 | Symantec Corporation | Computer readable storage media for multi-factor authentication and methods and systems utilizing same |
JP5968077B2 (en) | 2012-05-22 | 2016-08-10 | キヤノン株式会社 | Information processing apparatus, control method therefor, program, and image processing apparatus |
US9246907B2 (en) | 2012-07-12 | 2016-01-26 | International Business Machines Corporation | Confidence-based authentication discovery for an outbound proxy |
US9602473B2 (en) * | 2012-09-06 | 2017-03-21 | Zixcorp Systems, Inc. | Secure message forwarding with sender controlled decryption |
US9436428B2 (en) * | 2012-11-08 | 2016-09-06 | Ebay Inc. | Methods, apparatus, and system for mobile piggybacking |
US8806205B2 (en) | 2012-12-27 | 2014-08-12 | Motorola Solutions, Inc. | Apparatus for and method of multi-factor authentication among collaborating communication devices |
US20140189827A1 (en) | 2012-12-27 | 2014-07-03 | Motorola Solutions, Inc. | System and method for scoping a user identity assertion to collaborative devices |
US9124582B2 (en) | 2013-02-20 | 2015-09-01 | Fmr Llc | Mobile security fob |
US20140245411A1 (en) | 2013-02-22 | 2014-08-28 | Nokia Corporation | Method and apparatus for providing account-less access via an account connector platform |
US8613055B1 (en) | 2013-02-22 | 2013-12-17 | Ping Identity Corporation | Methods and apparatus for selecting an authentication mode at time of issuance of an access token |
US8997187B2 (en) | 2013-03-15 | 2015-03-31 | Airwatch Llc | Delegating authorization to applications on a client device in a networked environment |
US20140285337A1 (en) * | 2013-03-21 | 2014-09-25 | Mark Anthony Gebhardt | Automobile Alert System for Recording and Communicating Incidents to Remote Monitoring Devices |
US9355223B2 (en) | 2013-03-29 | 2016-05-31 | Citrix Systems, Inc. | Providing a managed browser |
US9154488B2 (en) * | 2013-05-03 | 2015-10-06 | Citrix Systems, Inc. | Secured access to resources using a proxy |
US8924608B2 (en) | 2013-06-25 | 2014-12-30 | Airwatch Llc | Peripheral device management |
KR101764197B1 (en) * | 2013-06-27 | 2017-08-02 | 인텔 코포레이션 | Continuous multi-factor authentication |
US9106642B1 (en) | 2013-09-11 | 2015-08-11 | Amazon Technologies, Inc. | Synchronizing authentication sessions between applications |
US20150120572A1 (en) | 2013-10-25 | 2015-04-30 | Nitro Mobile Solutions, LLC | Location based mobile deposit security feature |
IN2013MU03727A (en) | 2013-11-27 | 2015-07-31 | Tata Consultancy Services Ltd | |
US10362026B2 (en) | 2013-12-16 | 2019-07-23 | Amazon Technologies, Inc. | Providing multi-factor authentication credentials via device notifications |
US9276933B2 (en) | 2013-12-20 | 2016-03-01 | Sharp Laboratories Of America, Inc. | Security token caching in centralized authentication systems |
US20150193872A1 (en) | 2014-01-06 | 2015-07-09 | iVinci Partners, LLC | Systems and methods of managing payments that enable configurable financing and payment terms |
WO2015130700A1 (en) | 2014-02-26 | 2015-09-03 | Secureauth Corporation | Security object creation, validation, and assertion for single sign on authentication |
US9525664B2 (en) | 2014-02-28 | 2016-12-20 | Symantec Corporation | Systems and methods for providing secure access to local network devices |
WO2015154066A1 (en) | 2014-04-04 | 2015-10-08 | David Goldschlag | Method for authentication and assuring compliance of devices accessing external services |
US9578004B2 (en) | 2014-09-12 | 2017-02-21 | Ca, Inc. | Authentication of API-based endpoints |
US9819668B2 (en) | 2014-10-22 | 2017-11-14 | Ca, Inc. | Single sign on for native and wrapped web resources on mobile devices |
US9794329B2 (en) * | 2014-11-28 | 2017-10-17 | Sap Se | Cloud application with secure local access |
US9473486B2 (en) | 2014-12-05 | 2016-10-18 | International Business Machines Corporation | Single sign on availability |
US9467457B2 (en) * | 2015-01-13 | 2016-10-11 | Oracle International Corporation | Identity management and authentication system for resource access |
US20180324172A1 (en) | 2015-02-01 | 2018-11-08 | Mahesh Unnikrishnan | Single sign-on for remote applications |
US11736468B2 (en) | 2015-03-16 | 2023-08-22 | Assa Abloy Ab | Enhanced authorization |
US9930025B2 (en) | 2015-03-23 | 2018-03-27 | Duo Security, Inc. | System and method for automatic service discovery and protection |
US9225711B1 (en) | 2015-05-14 | 2015-12-29 | Fmr Llc | Transferring an authenticated session between security contexts |
US9864852B2 (en) | 2015-07-27 | 2018-01-09 | Amazon Technologies, Inc. | Approaches for providing multi-factor authentication credentials |
US20170046758A1 (en) | 2015-08-10 | 2017-02-16 | GreenLight Me, Inc. | Payment Approval Platform |
US9866546B2 (en) | 2015-10-29 | 2018-01-09 | Airwatch Llc | Selectively enabling multi-factor authentication for managed devices |
US10171457B2 (en) | 2015-12-29 | 2019-01-01 | International Business Machines Corporation | Service provider initiated additional authentication in a federated system |
US10454915B2 (en) * | 2017-05-18 | 2019-10-22 | Oracle International Corporation | User authentication using kerberos with identity cloud service |
-
2017
- 2017-02-09 US US15/428,467 patent/US10944738B2/en active Active
Patent Citations (46)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5781909A (en) * | 1996-02-13 | 1998-07-14 | Microtouch Systems, Inc. | Supervised satellite kiosk management system with combined local and remote data storage |
US5864665A (en) * | 1996-08-20 | 1999-01-26 | International Business Machines Corporation | Auditing login activity in a distributed computing environment |
US20020078153A1 (en) * | 2000-11-02 | 2002-06-20 | Chit Chung | Providing secure, instantaneous, directory-integrated, multiparty, communications services |
US20020133725A1 (en) * | 2001-03-14 | 2002-09-19 | Roy Ronald B. | Biometric access control and time and attendance network including configurable system-on-chip (CSOC) processors with embedded programmable logic |
US20050074126A1 (en) * | 2002-01-29 | 2005-04-07 | Stanko Joseph A. | Single sign-on over the internet using public-key cryptography |
US8510818B2 (en) * | 2002-10-31 | 2013-08-13 | Microsoft Corporation | Selective cross-realm authentication |
US20060206707A1 (en) * | 2005-03-11 | 2006-09-14 | Microsoft Corporation | Format-agnostic system and method for issuing certificates |
US20070028095A1 (en) * | 2005-07-28 | 2007-02-01 | Allen David L | Security certificate management |
US20080072303A1 (en) * | 2006-09-14 | 2008-03-20 | Schlumberger Technology Corporation | Method and system for one time password based authentication and integrated remote access |
US20080134049A1 (en) * | 2006-11-22 | 2008-06-05 | Binita Gupta | Apparatus and methods of linking to an application on a wireless device |
US20080263653A1 (en) * | 2007-04-17 | 2008-10-23 | International Business Machines Corporation | Apparatus, system, and method for establishing a reusable and reconfigurable model for fast and persistent connections in database drivers |
US8145909B1 (en) * | 2007-05-16 | 2012-03-27 | Adobe Systems Incorporated | Digitally signing an electronic document using seed data |
US20100318636A1 (en) * | 2008-01-31 | 2010-12-16 | Bizmobile Inc. | System and method for providing mobile service |
US20100082491A1 (en) * | 2008-09-30 | 2010-04-01 | Apple Inc. | System and method for providing electronic event tickets |
US20100235918A1 (en) * | 2009-03-13 | 2010-09-16 | Rami Mizrahi | Method and Apparatus for Phishing and Leeching Vulnerability Detection |
US20110126002A1 (en) * | 2009-11-24 | 2011-05-26 | Christina Fu | Token renewal |
US8762947B2 (en) * | 2010-04-01 | 2014-06-24 | Salesforce.Com, Inc. | System, method and computer program product for debugging an assertion |
US20130117831A1 (en) * | 2010-04-30 | 2013-05-09 | Lock Box Pty Ltd | Method and system for enabling computer access |
US20120245990A1 (en) * | 2011-03-26 | 2012-09-27 | Shwetav Agarwal | Systems and methods for facilitating customer acquisition by businesses |
US20120290336A1 (en) * | 2011-05-09 | 2012-11-15 | Apple Inc. | System and method for providing event-related incentives |
US20130049928A1 (en) * | 2011-08-29 | 2013-02-28 | International Business Machines Corporation | Just in time visitor authentication and visitor access media issuance for a physical site |
US20130124756A1 (en) * | 2011-11-14 | 2013-05-16 | Microsoft Corporation | Unauthenticated redirection requests with protection |
US20130290226A1 (en) * | 2012-04-05 | 2013-10-31 | Maynard Dokken | System and method for social graph and graph assets valuation and monetization |
US20130276080A1 (en) * | 2012-04-11 | 2013-10-17 | Vodafone Holding Gmbh | Method of authenticating a user at a service on a service server, application and system |
US20140007198A1 (en) * | 2012-06-29 | 2014-01-02 | Cable Television Laboratories, Inc. | Application authorization for video services |
US20140052548A1 (en) * | 2012-07-18 | 2014-02-20 | Maynard L. Dokken, JR. | System and method for automated advocate marketing with digital rights registration |
US8745718B1 (en) * | 2012-08-20 | 2014-06-03 | Jericho Systems Corporation | Delivery of authentication information to a RESTful service using token validation scheme |
US20140082715A1 (en) * | 2012-09-19 | 2014-03-20 | Secureauth Corporation | Mobile multifactor single-sign-on authentication |
US8635373B1 (en) * | 2012-09-22 | 2014-01-21 | Nest Labs, Inc. | Subscription-Notification mechanisms for synchronization of distributed states |
US8850546B1 (en) * | 2012-09-30 | 2014-09-30 | Emc Corporation | Privacy-preserving user attribute release and session management |
US20140156732A1 (en) * | 2012-12-04 | 2014-06-05 | International Business Machines Corporation | Splitting of Processing Logics Associated with Commands of Pages in a Distributed Application |
US20140279622A1 (en) * | 2013-03-08 | 2014-09-18 | Sudhakar Bharadwaj | System and method for semantic processing of personalized social data and generating probability models of personal context to generate recommendations in searching applications |
US20140310792A1 (en) * | 2013-04-12 | 2014-10-16 | Globoforce Limited | System and Method for Mobile Single Sign-On Integration |
US20150046997A1 (en) * | 2013-05-14 | 2015-02-12 | Citrix Systems, Inc. | Accessing Enterprise Resources While Providing Denial-of-Service Attack Protection |
US20140376403A1 (en) * | 2013-06-19 | 2014-12-25 | Facebook, Inc. | Detecting Carriers for Mobile Devices |
US20150052584A1 (en) * | 2013-08-13 | 2015-02-19 | News UK & Ireland Limited | Access Control System |
US20150188999A1 (en) * | 2013-12-28 | 2015-07-02 | Johnson Manuel-Devadoss | System and method to extend the capabilities of a web browser to improve the web application performance |
US8984149B1 (en) * | 2014-03-06 | 2015-03-17 | Iboss, Inc. | Applying policies to subnets |
US20150317466A1 (en) * | 2014-05-02 | 2015-11-05 | Verificient Technologies, Inc. | Certificate verification system and methods of performing the same |
US20160065565A1 (en) * | 2014-09-01 | 2016-03-03 | Aorato Ltd | System, Method and Process for Detecting Advanced and Targeted Attacks with the Recoupling of Kerberos Authentication and Authorization |
US20170034168A1 (en) * | 2014-09-16 | 2017-02-02 | Nok Nok Labs, Inc. | System and method for integrating an authentication service within a network architecture |
US20160077901A1 (en) * | 2014-09-17 | 2016-03-17 | StrongLoop, Inc | Dynamic Determination of Local and Remote API Calls |
US20160162910A1 (en) * | 2014-12-09 | 2016-06-09 | Verizon Patent And Licensing Inc. | Capture of retail store data and aggregated metrics |
US20160219060A1 (en) * | 2015-01-26 | 2016-07-28 | Mobile Iron, Inc. | Identity proxy to provide access control and single sign on |
US20160269898A1 (en) * | 2015-03-09 | 2016-09-15 | Neustar, Inc. | System and method for secure device authentication |
US20160323280A1 (en) * | 2015-04-29 | 2016-11-03 | Cyber-Ark Software Ltd. | Privileged access to target services |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10277572B2 (en) * | 2016-04-12 | 2019-04-30 | Blackberry Limited | Provisioning enterprise services provided by an infrastructure service server |
US20210092111A1 (en) * | 2017-09-27 | 2021-03-25 | Amazon Technologies, Inc. | Network traffic distribution using certificate scanning in agent-based architecture |
US20190141125A1 (en) * | 2017-11-03 | 2019-05-09 | Bank Of America Corporation | Cross application access provisioning system |
US12056975B1 (en) | 2018-01-16 | 2024-08-06 | Secureauth Corporation | System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score |
US11367323B1 (en) | 2018-01-16 | 2022-06-21 | Secureauth Corporation | System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score |
CN109829276A (en) * | 2018-12-17 | 2019-05-31 | 航天信息股份有限公司 | A kind of electronic invoice Explore of Unified Management Ideas and system based on FIDO agreement authentication |
US11159511B1 (en) | 2019-01-10 | 2021-10-26 | Microstrategy Incorporated | Authentication protocol management |
US11252573B1 (en) | 2019-08-04 | 2022-02-15 | Acceptto Corporation | System and method for rapid check-in and inheriting trust using a mobile device |
US20210260474A1 (en) * | 2019-09-04 | 2021-08-26 | Take-Two Interactive Software, Inc. | System and method for managing transactions in a multiplayer network gaming environment |
US11992755B2 (en) * | 2019-09-04 | 2024-05-28 | Take-Two Interactive Software, Inc. | System and method for managing transactions in a multiplayer network gaming environment |
US11888839B1 (en) * | 2019-12-04 | 2024-01-30 | Secureauth Corporation | Continuous authentication through orchestration and risk calculation post-authentication system and method |
US11552940B1 (en) * | 2019-12-04 | 2023-01-10 | Secureauth Corporation | System and method for continuous authentication of user entity identity using context and behavior for real-time modeling and anomaly detection |
US10951606B1 (en) * | 2019-12-04 | 2021-03-16 | Acceptto Corporation | Continuous authentication through orchestration and risk calculation post-authorization system and method |
US12035136B1 (en) | 2020-08-01 | 2024-07-09 | Secureauth Corporation | Bio-behavior system and method |
US11329998B1 (en) | 2020-08-31 | 2022-05-10 | Secureauth Corporation | Identification (ID) proofing and risk engine integration system and method |
US20220210646A1 (en) * | 2020-12-29 | 2022-06-30 | T-Mobile Usa, Inc. | Forcing re-authentication of users for accessing online services |
US11943618B2 (en) * | 2020-12-29 | 2024-03-26 | T-Mobile Usa, Inc. | Forcing re-authentication of users for accessing online services |
US20220247578A1 (en) * | 2021-01-29 | 2022-08-04 | Okta, Inc. | Attestation of device management within authentication flow |
US20230239285A1 (en) * | 2022-01-21 | 2023-07-27 | Vmware, Inc. | Secure inter-application communication with unmanaged applications using certificate enrollment |
US12081537B2 (en) * | 2022-01-21 | 2024-09-03 | VMware LLC | Secure inter-application communication with unmanaged applications using certificate enrollment |
US20230362643A1 (en) * | 2022-05-06 | 2023-11-09 | Verizon Patent And Licensing Inc. | Systems and methods for seamless cross-application authentication |
US11974131B2 (en) * | 2022-05-06 | 2024-04-30 | Verizon Patent And Licensing Inc. | Systems and methods for seamless cross-application authentication |
Also Published As
Publication number | Publication date |
---|---|
US10944738B2 (en) | 2021-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10944738B2 (en) | Single sign-on for managed mobile devices using kerberos | |
US10432608B2 (en) | Selectively enabling multi-factor authentication for managed devices | |
US10536447B2 (en) | Single sign-on for managed mobile devices | |
US9882887B2 (en) | Single sign-on for managed mobile devices | |
US10187374B2 (en) | Multi-factor authentication for managed applications using single sign-on technology | |
US11057364B2 (en) | Single sign-on for managed mobile devices | |
US12063208B2 (en) | Single sign-on for unmanaged mobile devices | |
US11444932B2 (en) | Device verification of an installation of an email client | |
US10356082B2 (en) | Distributing an authentication key to an application installation | |
EP3308525B1 (en) | Single sign-on for unmanaged mobile devices | |
US10032044B2 (en) | Multi-party authentication and authorization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
AS | Assignment |
Owner name: AIRWATCH LLC, GEORGIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:RYKOWSKI, ADAM;BARDAY, KABIR;BRANNON, JONATHAN BLAKE;SIGNING DATES FROM 20190213 TO 20190711;REEL/FRAME:049733/0247 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: UBS AG, STAMFORD BRANCH, CONNECTICUT Free format text: SECURITY INTEREST;ASSIGNOR:OMNISSA, LLC;REEL/FRAME:068118/0004 Effective date: 20240701 |
|
AS | Assignment |
Owner name: OMNISSA, LLC, CALIFORNIA Free format text: PATENT ASSIGNMENT;ASSIGNOR:AIRWATCH LLC;REEL/FRAME:068327/0670 Effective date: 20240630 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |